Code Ratchet
Code Ratchet

Reputation: 6029

Encryption in C#

I have stumbled across the below snippet, which encrypts a user's password. This is what i want to do because I don't want to store the user's password in the database without any encryption.

This is working fine for what I want to achieve, but my question is this: how can I un-encrypt it to make sure the value they have entered in the password box matches?

// Hash the password details of the user!
private static string CreatePasswordHash(string pwd, string salt)
{
  string saltAndPwd = string.Concat(pwd, salt);
  string hashedPwd = 
    FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1");
  hashedPwd = string.Concat(hashedPwd, salt);
  return hashedPwd;
}

I call the above like this

string password = CreatePasswordHash(TxtPassword.Text, "1579");

The password then becomes something like this: 566DAB495AD0747B49865F9177E430DFAD63CA281579

So how do I un-encrypt that?

Thank you for your time.

Upvotes: 1

Views: 543

Answers (2)

Eric Lippert
Eric Lippert

Reputation: 660493

First off, do not attempt to write your own password storage system. You will get it wrong and build an insecure system. Hire an expert who specializes in this sort of thing, have them write the system, and train you in its correct usage and maintenance.

Second, the whole point of that code is that it is impossible for you to find out the user's password. Their password is none of your business. The point of the salted hash is to build a verification system whereby you do not have to store their password in the first place but you can still verify that they know their password.

To understand how that works, read my four-part series of articles on that subject:

http://blogs.msdn.com/b/ericlippert/archive/tags/salt/

But again do not attempt to do this yourself. Hire an expert with decades of experience in this space if you need to do security work.

Upvotes: 8

Nick Butler
Nick Butler

Reputation: 24433

The point of a hash is that no-one can decrypt it!

When a user attempts a login, you hash the entered password, and then compare the hash with what's in the database. If the hash matches, then the password was correct.

Upvotes: 5

Related Questions