Hi. I am developing a web application.

I am using Hash technique for storing & retrieving passwords. What hashing method you suggest for  my userId & passwords

(DSA/RSA/SHA1Managed/MD5CryptoService/Provider/DES/Rijndael) and for how many bits and why?

Plase help me.

 I suggest that you get the Hash function in the CommonData project at http://www.CodePlex.Com/CommonData

The function come with comprehensive unit tests to both exercise the code and to show how the functions should be used.

The hash string to string function uses a salt (which you should change to a GUID string).

Incidentally, my compliments to you for realising that you need to use hash functions for a password.

 hmm, do you mean encryption or hashing? They are two different concepts :)

TYou mention all the different encryption you can perform, but one hashing. If i am not mistaken, SHA1 and MD5 is the only ones that uses hashing. :)

Encryption has by default both methods; encryption and decryption, hashing has not.

Hashing is a one way "encryption", it cannot be decrypted :p

The difference between the two is that SHA1 has 160 bit algorithm and Md5 runs on 128 bits.

I usually use MD5 and find that good enough, but in the end its up to you :p

Thank you so much for explaining the difference between Hashing & Algorithm.

Coming to the security & performance issues, if I use 128/160 bit, will it be secure when compared to 256 & 512 and also will it impact the performance?

Thanks in advance

The performance wise difference between MD5 and SHA1 is about 33% in favor of MD5. BUT MD5 is more vurnable to brute attack than SHA1, hence the higher bit algorithm.

You can upgrade your SHA1 to SHA512 which use a much higher bit (512) in their algorithm, but this is 55% slower than SHA1.

These performance numbers are with 1 user, the numbers are greater at more concurrent users.

For example 5 concurrent user: MD5 is 43% faster than SHA1, and SHA1 is 73% faster than SHA512. beginning to see the picture?

You can add more security to your application, but at the cost of performance, and it is alot when you are talking about heavy load servers.

PS it is testet with datasize of 4 KB, 135KB and 1MB, then taken the overall performance of the three. DS

 I will suggest to go for SHA-1 for performance.

 Happy new year, and i like to thank you for bringing this topic up for questioning. It got me started reading about cryptology to freshen up the memory banks :p

It turns out that neither SHA-1 or MD5 is consider safe as standards these days, it is recommended therefore that you use one of the SHA-3 ( SHA256, 512 or the other one i forgot ).

Happy new year & wish u d same. :-)

Other than Hashing, may I know other steps which can prevent from hackers. It will be very useful for me as well as other users who read this post. Suggest me with some examples.

Thanks in advance

 > it is recommended therefore that you use one of the SHA-3 ( SHA256, 512 or the other one i forgot ).

Thank you for the information. I read today of a demonstration of the cracking (by a bank of playstations) of an MD5 Key, typical of those used to authenticate internet shopping.

 In the light of the suspect nature of MD5, I have updated the CommonData project at http://www.codeplex.com/CommonData to use SHA256 for hashing.

It will be easier to give  you  answeres if you define your question better in what way you want your code hacker proof. There is no way to make a code 100% hacker proof, so by default always treat all inputs from users as an attack. And always presume your system will be hacked, and design your backup system orderly.

1) what do you need protecting? ( Input from users, data in db, files on server, cookies, etc)

Making your system "hacker- proof" is too large topic to cover in this forum, so if you really are into the subject, i suggest you look up some books on amazone :)

 >There is no way to make a code 100% hacker proof, so by default always treat all inputs from users as an attack.

This is very sound advice. 

I suggest that you put as much code as possible into a class library so that it can be more readily unit tested. You should also investigate using an automated GUI testing tool such as WaTiN (free!)  or NUnitASP (also free but no longer being developed)

There is no 100% fullproof solution to secure your application from hackers rather you could just make it harder for a hacker to thwart (break) your application security.

There are various things you could implement to secure your application. Even microsoft has provided a checklist for securing you asp.net application...

Just check through..it will be helpful to you..

http://msdn.microsoft.com/en-us/library/ms998249.aspx
http://msdn.microsoft.com/en-us/library/aa302341.aspx

Ok!