1

I want to create an application that can encrypt and decrypt my passwords using C#.

My idea is simple. I will use Substring to extract each letter from the entered string and I will manipulate the ASCI code and convert it to another letter. I will use the same method to encrypt them.

How difficult is it for someone to decrypt my generated password?

I'm looking for either suggestions or example code.

jball
  • 24,791
  • 9
  • 70
  • 92
Wassim AZIRAR
  • 10,823
  • 38
  • 121
  • 174

4 Answers4

9

In .NET there are a lot of secure ways for encryption. I think that instead of trying to implement yourself a solution you should better take a look at System.Security.Cryptography.

as-cii
  • 12,819
  • 4
  • 41
  • 43
8

Caesar cyphers are notoriously insecure. Abandon this method as fruitless. Do more research on password protection.

Joel Etherton
  • 37,325
  • 10
  • 89
  • 104
  • 1
    What about, If double encrypt them so I will encrypt them using Ceasar cyphers 2 times or maybe more ! – Wassim AZIRAR Dec 16 '10 at 18:40
  • 1
    @dotNET: Um, no. Any pair of Caesar cyphers is equivalent to a different single one. Don't try to invent your own cryptography. – Jon Skeet Dec 16 '10 at 18:43
  • 5
    @dotNet: Caesar cyphers are insecure to the point of useless. A human with a practiced eye can crack them without using a pencil. It would take longer for a computer to load a program to crack it than to actually crack it. I am very serious when I say you should do more research on password protection and encryption. Ideally you would never have a symmetric encryption applied to a password. Hashing or asymmetric encryption are more viable options. – Joel Etherton Dec 16 '10 at 18:44
  • Not to mention that in .NET any attacker can simply read your code and figure out what you're trying to do! Encryption must always be based on a secret that the attacker won't have. You can't ever have any secure method that is based on the attacker not knowing your algorithm. – Ran Dec 16 '10 at 19:22
3

There is rarely ever a reason to store an encrypted version of a password. That creates a security vulnerability. Instead, it is usually best to store a one-way hash (such as using SHA1) of the password combined with a random salt. Then you always compare the hash of entered passwords against hashes stored in the database, rather than ever actually comparing passwords.

The benefit of this approach is that no one can determine what a user's password is, even if he or she gains access to the database. And the salt makes identical passwords appear different from one another.

The following is an example of the creation of a random salt using the System.Security.Cryptography namespace.

byte[] salt = new byte[10];
RandomNumberGenerator.Create().GetBytes(salt);

You can combine the salt with the password and generate a one-way hash as follows:

byte[]  passwordBytes = new byte[Encoding.UTF8.GetByteCount(password) + salt.Length];  // Create buffer for password bytes and hash
int passwordLength = Encoding.UTF8.GetBytes(password, 0, password.Length, passwordBytes, 0);
salt.CopyTo(passwordBytes, passwordLength);
byte[] hash = null;
using (SHA512Managed hasher = new SHA512Managed()) {
  hash = hasher.ComputeHash(passwordBytes);
}

Store both the hashed password and the salt. When authenticating a user, use the same salt as that used when creating the stored hash to hash the password entered by the user. Compare this new hash to the one in the database.

Bradford Hoagland
  • 291
  • 2
  • 3
  • 1
    I just re-read your question, and I may have missed your point. If you are trying to create a way to store your own passwords for various sources in an encrypted fashion, then this approach is clearly not what you are after. However, I will leave this answer here for anyone interested in authentication approaches. – Bradford Hoagland Dec 16 '10 at 18:56
2

There are libraries that encrypt data for you. Their encryption algorithms are better than anything you can come up with. Use them.

robert
  • 33,242
  • 8
  • 53
  • 74