Reputation: 85
manage a secure password
My program asks for a password and save it inside a text file and the next time i run my program if the text file exists it asks for the password and I compare it with the password inside the text file.
Now, in the real world i know a text file is not used but I don't know how I can improve my technique 'cause regardless of a encryption algorithm a text file is readable for everyone and other solution as a registry key the same.
This is an exercise and my intention is to learn if I'm were programming a commercial app then what technique I should use to store a password with a more robust security?
Upvotes: 1
Views: 384
Answers (2)
Reputation: 24151
It doesn't matter where you store your passwords, as long as you store only a hash of them. A text file will do pretty well, important is that you use a salt and a slow hash function with a cost factor. Algorithms like MD5 or SHA* are not appropriate to hash passwords, because they are too fast and therefore can be brute-forced too easily.
The library BCrypt.NET implements the BCrypt algorithm, which is designed to hash passwords. It will automatically add a cryptographically safe salt and includes it in the resulting BCrypt hash.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
string hashToStoreInDb = BCrypt.HashPassword(password);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from existingHashFromDb.
bool isPasswordCorrect = BCrypt.Verify(password, existingHashFromDb);
Another good algorithm is PBKDF2, crackstation.net has a good code example.
If you are interested in more detailed information, you could have a look at my tutorial about safely storing passwords.
Upvotes: 1
Reputation: 978
The idea is to encrypt or hash the password but never to decrypt it. I.e. you transform your password in a way which is not reversible.
- When the password is entered the first time, you (one way) encrypt the password and store it.
- When a user tries to login, the entered password is encrypted again and compared with the stored one.
A code example was already provided in this answer:
byte[] data = System.Text.Encoding.ASCII.GetBytes(inputString);
data = new System.Security.Cryptography.SHA256Managed().ComputeHash(data);
String hash = System.Text.Encoding.ASCII.GetString(data);
Your program will store / compare the hash value instead of the plain password.
The code can and should be further approved. An attacker could create large dictionaries / rainbow tables of encrypted password and use them as a lookup for password cracking. This can be prevented by adding some "salt" to the password to be encrypted. Form more details see this answer.
Upvotes: 1
Related Questions
- Securing a password in source code?
- Store passwords securely in Windows
- C# How to securly store an unchanging password?
- Securely store a password in the application in C#
- Store password securely and retrieve it later
- C# How to store password in application
- Password storage in code. How to make it safe?
- How to save a password properly
- Password Encryption