Reputation: 6029
I have stumbled across the below snippet, which encrypts a user's password. This is what i want to do because I don't want to store the user's password in the database without any encryption.
This is working fine for what I want to achieve, but my question is this: how can I un-encrypt it to make sure the value they have entered in the password box matches?
// Hash the password details of the user!
private static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1");
hashedPwd = string.Concat(hashedPwd, salt);
return hashedPwd;
}
I call the above like this
string password = CreatePasswordHash(TxtPassword.Text, "1579");
The password then becomes something like this: 566DAB495AD0747B49865F9177E430DFAD63CA281579
So how do I un-encrypt that?
Thank you for your time.
Upvotes: 1
Views: 543
Reputation: 660493
First off, do not attempt to write your own password storage system. You will get it wrong and build an insecure system. Hire an expert who specializes in this sort of thing, have them write the system, and train you in its correct usage and maintenance.
Second, the whole point of that code is that it is impossible for you to find out the user's password. Their password is none of your business. The point of the salted hash is to build a verification system whereby you do not have to store their password in the first place but you can still verify that they know their password.
To understand how that works, read my four-part series of articles on that subject:
http://blogs.msdn.com/b/ericlippert/archive/tags/salt/
But again do not attempt to do this yourself. Hire an expert with decades of experience in this space if you need to do security work.
Upvotes: 8
Reputation: 24433
The point of a hash is that no-one can decrypt it!
When a user attempts a login, you hash the entered password, and then compare the hash with what's in the database. If the hash matches, then the password was correct.
Upvotes: 5