I want to store username and password in SQL Server database. How should I encrypt and decrypt password?
Printable View
I want to store username and password in SQL Server database. How should I encrypt and decrypt password?
You shouldn't decrypt the password. The standard for passwords is one-way encryption with a hashing algorithm. Creating a hash value for a password is very secure because the hash value can never be used to reproduce the original password. When the user supplies an initial password you create a hash value and store that. When that user logs you create a hash value for the password they use and if it matches the stored value then they're validated. Here's an example of hashing a password using the SHA1 algorithm:VB Code:
Dim password As String = "password" Dim input As Byte() = System.Text.Encoding.ASCII.GetBytes(password) Dim output As Byte() = New Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(input) Dim hashValue As String = System.Text.Encoding.ASCII.GetString(output) MessageBox.Show(hashValue)
I was wondering about encryption... now if you could develop a program that could list password possibilities from a hash value, i have heard that there would be more than one password possibility because of the way the password is encrypted though a one-way algorithm. Technically, isn't there more then one password or phrase that could give the same hash value; therefore, allowing someone who lets just say knew all of the different passwords be able to get into someones data just by using the different combinations of passwords? Now I know that if there are different possibilties that they most likely wouldn't be words or anything...probably a mix of letters and symbols. I was just wondering if this is how it works.
Do you understand what my question is...it's a little hard to explain... I'm sure i'm totally wrong though.
The likelihood of two different inputs returning the same hash value is infinitesimally small. Also, the bit about listing all the possible inputs to produce the same hash value is simply not feasible, since there is no way to get the original input from hash value. The only way to do it would be brute force, i.e. encrypt every possible input and see what hash value it produces. If you're using fairly strong passwords, i.e. of a reasonable length and a reasonable number of different characters, then that brute force attack will take a lot of processing power. For instance, a four-character password that can include digits and upper- or lower-case letters has 14776336 possible values. Given that passwords are usually longer than four characters the number gets even bigger.
Thanks.
I have one more question about the ConnectionString to Database. We usually store ConnectionString to database in configuration file(ApplicationName.exe.config or Web.config) which includes username and password. This file is just a text file so users can open this file and see the username and password. How to encrypt the password or prevent this? Need help.
Please specify your version when creating a thread in future. If you need to store a password that you need to retrieve and use to log into somewhere else then obviously one-way (asymmetric) encryption will not work as it will for validating users. In that case you'll have to use two-way (symmetric) encryption. If you're using VB 2005 (hence the need for a version) then the Framework has in-built support for encryption and on-the-fly decryption of config files. If you're using an earlier version then you're going to have to implement your own symmetric encryption scheme.
I am using VB 2003. Is there any example of two-way (symmetric) encryption? Some people said that we should store the connectionstring in windows registry. Is it common or not? Could you explain more about built-in support encryption in VB 2005?
You'd still need to encrypt the password if it was in the registry anyway.
Search MSDN and Google for .NET encryption.
It says ASP.NET but the same technique can be used for WinForms too:
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA