Create NetworkCredential instance using a MD5 encrypted password

Question

I must send an email through code in C#, the smtp server requires authentication, so I need to create a new NetworkCredential instance.

Now the problem is that I want to store the password in the db using some encryption method like MD5, but the NetworkCredential constructor take in input a clear password, how can I create NetworkCredential instance using a MD5 encrypted password?

Sorry for my poor English

Answer 1

Best way to store a secrete is not to have it at all. There were extensive discussions on this, for example see Best way to store password in database.

If you must store password in a retrievable fashion a general approach would be to encrypt it using symmetric algorithm (for example AES). To use symmetric algorithm you would need to have a key and the problem now becomes this: how to store the private key securely? Things that people do to secure a key:

• Use strong composite salt as parts you combine to make private key (application embedded, registry, hardware specific entropy like CPU id, etc )
• Use devices or chips to store keys, like TPM (Trusted Platform Module)
• Use ACL (Access Control List) to disallow access to the file where you store the key
• Use OS provided secure storage to store part of the salt or key
• Request the key on the fly from a secure server and dispose of it asap

But all this will merely raise a bar, but won't protect from determinate attackers.

I know some commercial companies provide paid-for solution that disperses the key in the code of the program in the encrypted way so it is not possible to retrieve it, for example by means of attaching a debugger and intercepting a call to where the key is in the clear. Search for "metaforic" for an example of such commercial solution.