5

I am about to make a 'Log In' for my app and was wondering what is the best way to encrypt a password for my user that i will enter in my database ? I found many way on Google but don't know which is the best.

Irfandy Jip
  • 1,308
  • 1
  • 18
  • 36
Alex
  • 10,869
  • 28
  • 93
  • 165
  • Do you need "Encrypted" passwords or "Hashed" passwords? This is not ths same. Hashed is more secure, but if you need to be able to read them someday, then Encrypted is the way to go. Most answers below assume you want hashes. Can you clarify :) ? – Simon Mourier Dec 04 '10 at 11:24
  • i want hashes . More secure :) – Alex Dec 04 '10 at 12:06

5 Answers5

8

I would go with a one way salted hash.

Using a SHA1 hash for example, you would have a way to store the password as a hash which cannot be reversed back to the original password. Then when the user enters his/her password you perform the same SHA1 hash on the password and compare that hash with what you have stored in the DB, if they match then the password is correct.

To further secure the hashing, you can add a salt, this is essentially a randomly generated value that you generate for each user then you create the account, and store the salt value in the user record. When you create the hash of the password, you first combine the password with the salt and hash this combined value. To authenticate the user you combine the entered password with the salt stored for the user, perform the hash on the combined value and compare.

By adding the salt to the mix, you ensure that the hash for passwords that happend to be the same have a different hash because the salted portion differs. So if two users have the same password "Password1234", the stored hash for the two will not be the same so it cannot be determined that two users have the same password.

Chris Taylor
  • 52,623
  • 10
  • 78
  • 89
  • +1, but I would not recommend to use SHA1. I'd recommend blowfish/twofish or SHA-2. See: http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt – Falcon Dec 04 '10 at 11:17
  • Purse SHA1/SHA2 isn't optimal since it's fast and thus more susceptible to brute-force. So using a good KDF is better. – CodesInChaos Dec 04 '10 at 11:24
  • 1
    This is a great place to get started on this http://www.obviex.com/samples/EncryptionWithSalt.aspx – Tom Dec 04 '10 at 11:27
  • salted hashes are all well and good, but they don't protect against brute-force attacks - SHA is fast. These days, you can rent access to password-breaking clusters built with GPGPUs, and those are *fast* at bruteforcing. – snemarch Dec 04 '10 at 11:42
3

I recommend using Rfc2898DeriveBytes

It uses a good standardized Key-Derivation-Function, and modern hashes. You need to pass in a salt in addition to the password to prevent rainbow-tables. And it mixes salt and password for you, so you don't need to figure out how to do that yourself.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
1

Use bcrypt. No, really, drop whatever ideas you have of building your own method, and use bcrypt. The world has enough homebrew insecure password hashing schemes already.

Storing salted password hashes, with per-user salts of course, is all well and good. But salting only prevents rainbow table attacks, it doesn't prevent bruteforcing. So, paradoxically, you don't want to use a fast method to generate or verify the password hashes. MD5, SHA, whatever - they're all fast. Repeat after me: use bcrypt.

snemarch
  • 4,958
  • 26
  • 38
0

You can use RSA Algorithm: http://www.codeproject.com/KB/security/RSACryptoPad.aspx

m.qayyum
  • 401
  • 2
  • 15
  • 44
-1

Use Cryptography algorithm provided by .net framework

normally , many application uses MD5 algorithem

See here

TalentTuner
  • 17,262
  • 5
  • 38
  • 63