Reputation: 27
How to encrypt and verify password in asp.net using C#?
I used following tutorial to hash passwords to my db. I would like to ask to more experienced developers here if this method is still "up to date"? I wouldn't like to have security problems.
Here is the link in question: How to encrypt and decrypt password in asp.net using C#?. I modified a little bit the code so that it would always use SHA512 as hash algorithm. I also never specify a salt but let it generate it (second parameter = null).
Thanks in advance for your help, wish you all a nice week!
Greetings
Upvotes: 0
Views: 16448
Answers (2)
Reputation: 460
As I'm asp.net beginner to answer it,I used following code that might help you where you can encrypt the password and save to db and when retrieve that encrypted string from db then decrypt to match your verifying password.Following code are tested for your (pwd) cryptogrphy.
Design File
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" Text="Arslan Ali" runat="server" placeHolder="Enter Password"></asp:TextBox><br />
<asp:Button ID="Button1" runat="server" Text="Encrypt" OnClick="Button1_Click" /><br />
<asp:Button ID="Button2" runat="server" Text="Decrypt" OnClick="Button2_Click" /><br />
<asp:Label ID="Label1" runat="server" Text="Label"></asp:Label><br />
</div>
</form>
In your Code File Required NameSpaces
using System.Text;
using System.Security.Cryptography;
Define Hash String
string hash = @"foxle@rn";
Encrypt
protected void Button1_Click(object sender, EventArgs e)
{
byte[] data = UTF8Encoding.UTF8.GetBytes(TextBox1.Text);
using(MD5CryptoServiceProvider md5=new MD5CryptoServiceProvider())
{
byte[] keys = md5.ComputeHash(UTF8Encoding.UTF8.GetBytes(hash));
using (TripleDESCryptoServiceProvider tripleDes = new TripleDESCryptoServiceProvider() {Key=keys,Mode=CipherMode.ECB,Padding=PaddingMode.PKCS7 })
{
ICryptoTransform transform=tripleDes.CreateEncryptor();
byte[] results=transform.TransformFinalBlock(data,0,data.Length);
Label1.Text = Convert.ToBase64String(results);
}
}
}
Decrypt
protected void Button2_Click(object sender, EventArgs e)
{
byte[] data = Convert.FromBase64String(Label1.Text);
using (MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider())
{
byte[] keys = md5.ComputeHash(UTF8Encoding.UTF8.GetBytes(hash));
using (TripleDESCryptoServiceProvider tripleDes = new TripleDESCryptoServiceProvider() { Key = keys, Mode = CipherMode.ECB, Padding = PaddingMode.PKCS7 })
{
ICryptoTransform transform = tripleDes.CreateDecryptor();
byte[] results = transform.TransformFinalBlock(data, 0, data.Length);
Label1.Text = UTF8Encoding.UTF8.GetString(results);
}
}
}
I hope so,It may help you but I'm confirming ,I'm too beginner to crypto as well as asp.net web-forms.
Upvotes: 4
Reputation: 62093
if this method is still "up to date"?
Yes, in general.
I also never specify a salt but let it generate it (second parameter = null).
Yeah. Now hash like a hunderd thousand times and you are ok ;) No joke. I think minimum should be around - well, it should take a second to operate.
Now, here is the question you actually NEVER ASK EXCEP TIN YOUR TITLE. How do you verify?
NOT by decryption.
- Take password enterd by user.
- Take salt from your salted password (yes, store it)
- Take number of iterations from your salted password
- Salt input from user same number of times with same algorithm.
- Compare both hashes.
Finished.
Hash are NOT encryption. Envcryption means you can decrypt - Hashes are irreversible.
Upvotes: 3