Last post Jul 15, 2007 02:01 PM by Svante
Jul 11, 2007 06:51 AM|jaishankar2704|LINK
I am using Visual Studio 2003, framework 1.1.
Can anybody help me about the password encryption. How it is used?
what are the methods for encryptions & decryptions?
Jul 11, 2007 09:25 AM|Michael Nemtsev|LINK
Jul 13, 2007 01:03 AM|jaishankar2704|LINK
Thanks Michael Nemtsev.
Is there any C# code for the Encription of the Data.
I need to encript the password into Alphabets, Digits, Symbols, etc.
After encription, i need to decript also...
Jul 13, 2007 01:06 AM|Michael Nemtsev|LINK
Jul 15, 2007 02:01 PM|Svante|LINK
Don't get me wrong, but the fact you need to ask the question implies that you should not attempt to implement this by yourself. Please don't. Under no circumstances should you do this, except to learn - but then you never, ever, use that code anywhere near
Instead, use the provided membership provider to handle your logins and passwords.
The basic principles behind secure password handling does NOT include encryption, and therefore no decryption. The basic principle is to use a so-called cryptographic hash, along with a 'salt'. A hash is function designed such that given an aribitrarily
long sequence of bytes, it will compute a fixed-length checksum that has the two major properties that it is very unlikely that two different sequences of bytes produce the same hash, and given a hash it is computationally infeasible to figure out which sequence
of bytes produced the hash.
The password given by the user is contatenated with random number, the 'salt', and a hash is calculated. It is this hash that is stored in the user database, along with the random 'salt'. When the user wants to login, the provided password is taken, the
'salt' is picked up from the user database, the hash is computed again and the result is compared with what is stored in the user database. If they are equal, the correct password was entered and the login is accepted.
The reason for the 'salt' is so that you cannot precompute hashes for a dictionary for example - since the actual password is always hashed along with a random quantity, the salt, an attacker cannot perform a precomputation attack to speed up the search.
Now, go lookup the documentation for the membership provider, and use that! It comes complete with good defaults and a ready-made implementation of the above strategy that you and your users can trust.