user962206
user962206

Reputation: 16147

Hashing Password Database with LINQ to SQL

I am currently working on a log in form and I've heard the best way to store passwords is to hash them, but do I put the "hashed" passwords to the database(in a column where only byte data types are placed) I put the bytes in the database and then retrieve then convert them to string to compare them with the users input is that how it works? if so How would I do that in LINQ TO SQL?

Upvotes: 1

Views: 926

Answers (3)

sh_erfan
sh_erfan

Reputation: 21

There are two major differences between hashing and encrypting:

1) when you hash a password for example, the result is unique, but when you encrypt, the result should be random each time you encrypt the same data.

2) hashing is unidirectional, encryption is bidirectional, which means retrieving a hashed data is meaningless but you can decrypt an encrypted data.

A question may rise here : when should to use hashing and to use encrypting???

The answer is so simple. If you do not want to show the real data to the user or u do not want to use it anywhere in your program and it is only used for authentication or verification (like login password), it is wise to use hashing and save hashed form of data in database. when authenticating, simply hash the input and since hashing gives you the same result search the desired table to find its matching. On the other hand, encryption is used for data that we may need to show it to user or use its value in calculation (show the credit card number when printing payments to show what payment is paid by which credit card)

Upvotes: 2

Servy
Servy

Reputation: 203825

When a user attempts to authenticate you use the same hash algorithm on the password they enter and search the database for a user with the entered username and a hash that matches the one you just generated. If you get a result, that's the user to authenticate them as.

Note that at no point do you take the hash and convert it back to the plaintext password. The entire purpose of the hash is that it is something that you can't do (at least not in any practical sense). It's not encrypted, it's not a two-way thing. Once it's hashed, if you can turn it back into the original password then you're not using a good enough hashing algorithm.

Upvotes: 2

Decker97
Decker97

Reputation: 1653

I think the general approach is to salt/hash the passwords before storing them in the database when the user creates their account. Then, to authenticate the user salt/hash the input of the user and compare that with the database stored password.

Upvotes: 3

Related Questions