ASP.NET Sql Server 2008 How to store password in database

Question

I am building a web front end app, which has a table users and ofcourse a username and password field. My Question is what datatype should I store the password as :

I was told binary is popular, but how do I store the password as binary i.e. on the front end if I capture the password from login form how do I transform that string to binary.

Any Suggestions would be appreciated!

Answer 1

You have to basically hash your passwords and store them in the database. You never decrypt them back but always compare the hashed versions. Some sample stuff is below.

private static string CreateSalt(int size)
  {
   //Generate a cryptographic random number.
   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
   byte[] buff = new byte[size];
   rng.GetBytes(buff);

   // Return a Base64 string representation of the random number.
   return Convert.ToBase64String(buff);
  }

private static string CreatePasswordHash(string pwd, string salt)
  {
   string saltAndPwd = String.Concat(pwd, salt);
   string hashedPwd = 
    FormsAuthentication.HashPasswordForStoringInConfigFile(
    saltAndPwd, "sha1");

   return hashedPwd;
  }

Store the PasswordHash and salt in the database in the user's account.

Then, when the user attempts to logon the next time, grab the salt from the database and hash it as usual with the password provided by the user during logon and compare that value to the PasswordHash in the database. If they are the same, the user provided the correct password (whatever that may be). If they are not the same, the password entered was incorrect.