Password encryption

Question

I am creating a login screen for an application in C#. In my login screen I am reading the username and password from the database and checking whether the entered username

Answer 1

Along with given advices, there are other methods to protect passwords:

1. One-Time Password: In spite of implementing salted hash, passwords are still stored on hard disk and are prone to be cracked. So a better approach is required here. In contrast with static passwords, one-time passwords are changed each time a user logs on to the system and usually users should carry a small hardware used for synchronizing with server. Mainly there are two types of OTP: (Visit Safer Authentication with a One-Time Password)

   • Time-Synchronized
   • Counter-Synchronized

2. Using BCrypt which uses a variant of the Blowfish encryption algorithm's keying schedule and contains a work factor, which lets you determine how expensive the hash function will be. In order to get familiar with bCrypt, visit: http://codahale.com/how-to-safely-store-a-password/

In C#, you can use BCrypt.Net library which is a port of iBCrypt library: read the following article to understand how to get this library up and running in Visual Studio.Net:

Using BCrypt in a .NET Application – Why it’s better than SHA or MD5.

Of course, there are a lot of discussions about this algorithm in SO, search and study more about this.

Answer 2

First: The common approach now is that store the salted hash of the password, instead of the plain-text password itself (SHA-1 and better hashing algorithm are preferred, avoid MD5 because it's not safe any more) . When the user login, you recalculate the hash of the input string, then compare it with string stored in the database.

EDIT: why shouldn't you use encryption for password? Because when the attacker knows the key of encryption, all of you passwords will be exposed (That's very bad). If you using hash, he just can guess one-by-one (and this is not easy). Otherwise, hash algorithms, in general, are faster then encryption, you'll take the performance benefit.

EDIT: why you should store salted hash, instead of a hash? Because hashing algorithms are guaranteed that if you hash identical strings, the result is the same. This may lead to a problem is that, when attacker see the same hash values, he can guess that the texts were the same, and this gives chance for him to get the original password.

Salt means that besides the original text, you put some random text, and therefore, two identical strings will generate different hash values

Take a look at this: http://www.obviex.com/samples/hash.aspx

In case of the user forgets his password, you can use the reset password function, which many sites are using:

1. The user requests a password reset
2. An email contains a special link (include a secret token/PIN) will be sent to registered email address, that allows user to reset his password.
3. A randomly created password will be sent again to user, then he can login and change his password.

UPDATE May 14th 2012: The answer seems to be old, and not completely true. People are moving to more secure hashing-encryption algorithm for storing password. One of notable solution now is bcrypt, and another (new and promising) is scrypt.

The advantage of these encryption? They're slow! Much slower than hashing algorithm. With the power of GPU (for example, CUDA from nVidia), cracking the hash value is not impossible now, and the slowness can make it much harder to crack these encryption.

You can find more about bcrypt at: http://codahale.com/how-to-safely-store-a-password/

Second: You should separate the users table (contains user profiles, such as full name, DoB, address,...) and logins table (Which contains user name and password, and some special attributes). This will lead to better management and reduce the risk of exposing sensitive information

Answer 3

You can encrypt the passwords in many ways.

One of the way is using the MD5 encryption. Let me show you one of the encryption method that I am using.

#region Encrypt
public string Encrypt(string simpletext, string keys)
{
    try
    {
        XCryptEngine xe = new XCryptEngine();

        xe.Algorithm = XCrypt.XCryptEngine.AlgorithmType.DES; //DES = Data Encryption Standard

        string cipher = xe.Encrypt(simpletext, keys);
        if (cipher != null)
            return (cipher);
        else
            return null;
    }

    catch (Exception ex)
    {
        throw ex;
    }
}
#endregion

#region Decrypt
public string Decrypt(string simpletext, string keys)
{
    try
    {
        XCryptEngine xe = new XCryptEngine();

        xe.Algorithm = XCrypt.XCryptEngine.AlgorithmType.DES;

        //Console.WriteLine(xe.Decrypt(simpletext, keys));
        simpletext = simpletext.Replace(" ", "+");
        string cipertext = xe.Decrypt(simpletext, keys);
        if (cipertext != null)
            return (cipertext);
        else
            return null;
    }
    catch (Exception ex)
    {
        throw ex;
    }
}
#endregion

you need to use reference for XCrypt to use this.

using XCrypt;

Answer 4

The password should be stored in database with encrypted value itself. And when user tries to login, encrypt the password with the same algorithm and then compare it to the value in db.

Md5 is usually used for password encryption as it cannot be decrypted. Incase the user forgets the password, he cannot retrive it back, but it can only be reset.

Hope this helps !

Answer 5

Are you implementing your own authentication mechanism? You can use already existing System.Web.Security microsoft authentication. By using Membership class you can validate user password without retrieving it from the database. This way you will be able to store the salted (encrypted) password in your database. Just use Membership.CreateUser and Membership.ValidateUser. If you don't need (performance wise or proprietary implementation) use existing implementations and save time.