hash passwords?

[Crash893]

hi all,

I need to store user name and password data in a DB for authentication purposes

I was told that i shouldn't store the pass per say but the hash of the password

I am very new to this and im not sure what the best way to Proceed is.

[jmcilhinney]

When the user creates an account you hash the password, probably salting it too, and then store the hash value in the database. When the user logs in you hash the password they provide and then compare that value to what's in the database.

To create the hash you would probably use SHA1 or MD5, both of which are supported by the .NET Framework in the System.Security.Cryptography namespace. As for salting:

http://www.bing.com/search?q=salting+a+hash&form=OSDSRC

[Crash893]

I don't think salting will be necessary this isn't a huge program ( maybe after i get a handle on what im doing)



so far to hash i use

c# Code:

private string MD5(string input)
        {
            MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
 
            byte[] originalBytes = ASCIIEncoding.Default.GetBytes(input);
            byte[] encodedBytes = md5.ComputeHash(originalBytes);
 
            return BitConverter.ToString(encodedBytes).Replace("-", "");
        }

how would i verify that hash?

[jmcilhinney]

You would not use this for a start:

Code:

ASCIIEncoding.Default

Default is a property of the Encoding class that gets a default Encoding object. Either you want a default Encoding or you want an ASCII Encoding. If you want a default encoding then you'd use Encoding.Default. If you want an ASCII Encoding you'd use Encoding.ASCII.

I'd also be inclined to either use an Encoding in both directions or the BitConverter in both directions. There doesn't seem to be a reason to mix the two.

Finally, is there a particular reason you're removing dashes from the result? That could conceivably result in the same has for multiple passwords.