0

I have been working on an offline windows forms application that has sign-in and signup linked to SQL Database. Storing users' passwords, email, and username to local-DB.

I have done up to this...

public static string Encrypt(string encryptString,string EncryptionKey)
    {              
        byte[] clearBytes = Encoding.Unicode.GetBytes(encryptString);
        using (Aes encryptor = Aes.Create())
        {
            Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] {
        0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76
    });
            encryptor.Key = pdb.GetBytes(32);
            encryptor.IV = pdb.GetBytes(16);
            using (MemoryStream ms = new MemoryStream())
            {
                using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
                {
                    cs.Write(clearBytes, 0, clearBytes.Length);
                    cs.Close();
                }
                encryptString = Convert.ToBase64String(ms.ToArray());
            }
        }
        return encryptString;
    }

    private static Random random = new Random();
    public static string RandomString(int length)
    {
        const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%&*+-/";
        return new string(Enumerable.Repeat(chars, length)
          .Select(s => s[random.Next(s.Length)]).ToArray());
    }

An encryption key will be created randomly for each user while creating an account(sign-up) and it will be stored in DB for decryption(sign-in). Is this the correct way? How can I use this method and store keys in a safe way?

I have gone through some websites and blogs, But cannot understand what's the right approach to store users' data to the database and if so, in which manner or format it should be stored?

Mainly,

  1. My confusion is should we only hash the password(stored in DB) and check with the hash generated from the user's password while logging in?.

  2. How do big tech companies store passwords into databases?

Thanks in advance

Kaisi Dev
  • 3
  • 2
  • See [Difference between Hashing a Password and Encrypting it](https://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it) – gunr2171 Nov 01 '21 at 11:58
  • 1
    Do not invent your own way of storing passwords. Passwords should be salted and hashes with a brute force resistant and future-proof algorithm. There are numerous articles on how to store passwords correctly, See for example [storing passwords in .net](https://medium.com/dealeron-dev/storing-passwords-in-net-core-3de29a3da4d2). – JonasH Nov 01 '21 at 12:04

1 Answers1

0

In short:

  1. It is enough to only hash it, as the hashes (done properly) aren't reversable (in practice).
  2. Different companies take different approaches, but most of them don't store hashed passwords on premises, but use some cloud solution, often third party one to do so.

And as to HOW to encrypt / hash passwords, there is a lot of info on it out there.

markovic-m
  • 161
  • 1
  • 1
  • 7