-1

I am using the RijndaelManaged object to encrypt and store passwords in my database. I currently have the key and vector arrays hard coded into the object. Obviously, this is not great because somebody could get the keys and decrypt all the passwords. What is the best way secure passwords and where should these keys be stored for max protection?

Thanks.

Dietpixel
  • 9,983
  • 11
  • 28
  • 33
  • possible duplicate of [Storing encryption keys -- best practices?](http://stackoverflow.com/questions/723653/storing-encryption-keys-best-practices) – Emond Aug 03 '11 at 13:42

2 Answers2

3

If you could store the keys securely then Reijndael would be great.

But you can't.

The general practice is: don't store the passwords at all. Store a Hash of the Pw ( + username + salt) and recalculate that when the user tries to log in.

H H
  • 263,252
  • 30
  • 330
  • 514
0

I am too using rijndael for encryption purposes. What I am doing is generating my key and vector on runtime, then storing them in a separate stub file. For decryption to occur, I read the key and vector from the stub file. Yes, it is still possible for the keys to be uncovered, but it is nearly impossible to keep them completely hidden.

Lastly, consider using private delimiters to mix in with the key and vector - this way you can split by delimiter and recover your key while an outside user would have no idea where to even begin.