Reputation: 7549
Storing an encrypted password into a database
I thought this would've been a lot simpler but at this point I'm confused and haven't progressed at all.
Basically, I need to be able to accept a password from a user in a WPF app, encrypt it then store this in a database and be able to decrypt later on. However I'm not sure how to implement this.
This is completely trivial so whether it's safe or not doesn't matter. All I need is for it to get working only I'm unsure exactly how to do it. I've tried playing around with the DESCryptoServiceProvider() but haven't gotten anywhere.
To be clear, how exactly do I go about converting a simple password into something that's been encrypted and storing it in the database (and what fields would I store it in). At this point, I'm happy if there's only one key and that key is being defined in the source code.
Any suggestions?
Edit: To clarify further, I can't 'encode'. It has to be encrypted for the purposes of this exercise (i.e. it needs to have a key generated). I believe SHA is an encoding algorithm, not encryption.
Upvotes: 1
Views: 2208
Answers (4)
Reputation: 54148
If you are using SQL Server 2005 or later, there is built-in encryption in the database that you can use to protect the data without writing your own decrypt/encrypt code.
That article covers SQL 2005 - for SQL 2008 start here.
Encryption algorithms define data transformations that cannot be easily reversed by unauthorized users. SQL Server allows administrators and developers to choose from among several algorithms, including DES, Triple DES, TRIPLE_DES_3KEY, RC2, RC4, 128-bit RC4, DESX, 128-bit AES, 192-bit AES, and 256-bit AES.
Upvotes: 0
Reputation: 13762
Don't try and code your own scheme for this, you'll likely get something wrong and leave it insecure.
Better use something like BCrypt to do it for you.
And as for how to store it, BCrypt will return a string encoding of the hashed password that is very easy to store in the database.
To be clear, it works like this. When you first store the users password you:
- get the password from the user
- pass the password to the BCrypt HashPassword method
- it returns a string that is the hash of the password
- you store the hash in the database against the user's record
When the user comes to login later you:
- get the password from the user
- get the hash for the user from the database
- pass the hash and the password the user provided to the BCrypt CheckPassword method
- BCrypt returns true or false depending on whether the password matches
Upvotes: 4
Reputation: 101
Is there anything against using one way encryption? SHA would do this - you don't need to decrypt it you only need to check the user is entering the correct password again, which you can do by encrypting their entered password and comparing the resulting hash to the hash stored in your database.
Remember to salt it too!
Upvotes: 3
Reputation: 887433
You need to store an irreversible salted hashcode of the password.
Use SHA512Managed.
Upvotes: 2
Related Questions
- How to store password in encrypted format in database entered from web application?
- How to Encrypt a Password and Save it in SQL Server Database
- Encrypt passwords existing in Database sql windowsForms
- How to save SQL server password
- Securely Storing Database Password
- encrypting/decrypting a password stored on a compact database
- How to store passwords in a database table
- VB 2010 Store Passwords In Database
- Looking for new ideas on how store encrypted Database Password on client machine
- VB.Net Secure Passwords to Database?