How to decrypt passwords that are encrypted in an SQL database [C#]

Question

so I am having a problem with this script I have. I created a new class in my project and it is named AesCryp.cs and it comes with both encryption and decryption methods. Here is the script:

class AesCryp
{
    public static string IV = "xxxxxxxxxxxxxxxx";
    public static string Key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

    public static string Encrypt(string decrypted)
    {
        byte[] textbytes = ASCIIEncoding.ASCII.GetBytes(decrypted);
        AesCryptoServiceProvider encdec = new AesCryptoServiceProvider();
        encdec.BlockSize = 128;
        encdec.KeySize = 256;
        encdec.Key = ASCIIEncoding.ASCII.GetBytes(Key);
        encdec.IV = ASCIIEncoding.ASCII.GetBytes(IV);
        encdec.Padding = PaddingMode.PKCS7;
        encdec.Mode = CipherMode.CBC;

        ICryptoTransform icrypt = encdec.CreateEncryptor(encdec.Key, encdec.IV);

        byte[] enc = icrypt.TransformFinalBlock(textbytes, 0, textbytes.Length);
        icrypt.Dispose();

        return Convert.ToBase64String(enc);
    }

    public static string Decrypt(string encrypted)
    {
        byte[] encbytes = Convert.FromBase64String(encrypted);
        AesCryptoServiceProvider encdec = new AesCryptoServiceProvider();
        encdec.BlockSize = 128;
        encdec.KeySize = 256;
        encdec.Key = ASCIIEncoding.ASCII.GetBytes(Key);
        encdec.IV = ASCIIEncoding.ASCII.GetBytes(IV);
        encdec.Padding = PaddingMode.PKCS7;
        encdec.Mode = CipherMode.CBC;

        ICryptoTransform icrypt = encdec.CreateDecryptor(encdec.Key, encdec.IV);

        byte[] dec = icrypt.TransformFinalBlock(encbytes, 0, encbytes.Length);
        icrypt.Dispose();

        return ASCIIEncoding.ASCII.GetString(dec);
    }
}

I have made it when I create a new account, it will encrypt the password and insert it into the database. Here is the register script:

public bool Register(string user, string pass)
    {
        string query = $"INSERT INTO users (ID, Username, Password) VALUES ('', '{user}', '{pass}');";

        try
        {
            if (OpenConnection())
            {
                MySqlCommand cmd = new MySqlCommand(query, db);

                try
                {
                    cmd.ExecuteNonQuery();
                    return true;
                }
                catch (Exception ex)
                {
                    return false;
                }
            }
            else
            {
                db.Close();
                return false;
            }
        }
        catch (Exception ex)
        {
            db.Close();
            return false;
        }
    }

and here is the SignUp button script:

private void SignUp_Click(object sender, EventArgs e)
    {
        string user = usernameTxt.Text;
        string pass = AesCryp.Encrypt(passwordTxt.Text);

        if(Register(user, pass))
        {
            MessageBox.Show($"User {user} has been created!");
        }
        else
        {
            MessageBox.Show($"User {user} has not been created!");
        }

    }

However, I am just really confused on how I am going to make it so it decrypts the encrypted password in the database when I try to login. This is my login script without any decryption (because I'm not entirely sure how I would do it)

public bool IsLogin(string user, string pass)
    {
        string query = $"SELECT * FROM users WHERE Username='{user}' AND Password='{pass}';";

        try
        {
            if (OpenConnection())
            {
                MySqlCommand cmd = new MySqlCommand(query, conn);
                MySqlDataReader reader = cmd.ExecuteReader();

                if (reader.Read())
                {
                    reader.Close();
                    conn.Close();
                    return true;
                }
                else
                {
                    reader.Close();
                    conn.Close();
                    return false;
                }
            }
            else
            {
                conn.Close();
                return false;
            }
        }
        catch (Exception ex)
        {
            conn.Close();
            return false;
        }
    }

and here is the Login button script:

private void Login_Click(object sender, EventArgs e)
    {
        string user = usernameTxt.Text;
        string pass = passwordTxt.Text;

        if (IsLogin(user, pass))
        {
            MessageBox.Show($"Welcome {user}!");
        }
        else
        {
            MessageBox.Show("Username or password is incorrect!");
        }
    }

If anyone could help me out, then that would be great. Thank you!

Is there a reason you’re encrypting passwords instead of hashing them? It’s not usually a good idea to be able to recover the original passwords, key or no. — Ry-, Mar 24 '18 at 12:54
"How to decrypt passwords that are encrypted in an SQL database" You don't encrypt and decrypt passwords you should HASH your password's with bcrypt (best option because bcrypt is designed to be slow on GPU's) or use atleast sha256+ with a unique salt — Raymond Nijland, Mar 24 '18 at 12:55
Sorry to tell you this but you are doing it all wrong. Read this [Best way to store passwords in a database](https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database) — Steve, Mar 24 '18 at 12:55
encrypting data is a good starting step, the next one is hashing passwords instead encrypting them and to make it more secure remember using parametrized queries to avoid SQL Injection attacks — Cleptus, Mar 24 '18 at 12:58
Besides you should not hardcode this encrypt values within your application.. Annyone with a disassembler should reverse engineer the correct encrypt values. Live connecting to a MySQL database with a C# application is the same problem the username, password can be eazy found within a disassember. — Raymond Nijland, Mar 24 '18 at 13:02
Yeah, I understand. I am just using this tool for testing purposes so I can improve my SQL and C# skills. I also thought that it would be a good starting point @bradbury9, which is the reason why I was just testing it. — Tranquility, Mar 24 '18 at 13:05
Besides the really, really bad idea of encrypting passwords. You are also concatenating strings for your SQL query which leaves you vulnerable to SQL injection attacks. You should use parameters _always_. Also, to your comment that it’s a “good starting point”... Now that you know you should **never** do it this way, you shouldn’t waste your time learning the wrong ways of doing things. Start good practices now, you’ll be much stronger a programmer for it. — maccettura, Mar 24 '18 at 14:37
I would disagree that it’s a good starting point. Encryption is a lot harder than hashing and there’s a great chance you’re never going to use it on passwords. — Ry-, Mar 24 '18 at 15:09

How to decrypt passwords that are encrypted in an SQL database [C#]

0 Answers0