Storing password

AspDotNetDev

Rather than storing the password, store a hash of it. Encrypt and "salt" the password before modifying it to get the hash. Store this hash. Then, when the user enters their password, create the hash from it and compare it to the hash you have stored in the database. Doing it this way will prevent somebody who gains access to your database from learning any of the passwords, but still gives you the ability to use passwords to secure data and transactions.

[Forum Guidelines]

AspDotNetDev

Use Google.

[Forum Guidelines]

OriginalGriff

You shouldn't use MD5 for new applications - it is officially "broken". Use SHA-512 instead, as it is currently ok until the SHA-1024 spec is released in 2012.

You should never use standby on an elephant. It always crashes when you lift the ears. - Mark Wallace C/C++ (I dont see a huge difference between them, and the 'benefits' of C++ are questionable, who needs inheritance when you have copy and paste) - fat_boy

Abhinav S

Encrypt it before storing it into the database.

Me, I'm dishonest. And a dishonest man you can always trust to be dishonest.
Honestly. It's the honest ones you want to watch out for...

OriginalGriff

Don't use MD5 - it is officially "broken". Use SHA instead. Attached the class I use for SHA handling:

using System;
using System.Text;
using System.Security.Cryptography;
using System.Runtime.InteropServices;
using System.Security;
using System.IO;

namespace UtilityControls
{
/// <summary>
/// Supports SHA2 hash processing
/// NOTE: SHA3 is under developemnt and the specification is due in 2012
/// </summary>
public class SHA2Hash
{
#region Fields
private byte[] _SHA2Data;
/// <summary>
/// Bits in an SHA2 hash
/// </summary>
public const int SHA2Bits = 512;
/// <summary>
/// Bytes in an SHA2 hash
/// </summary>
public const int SHA2Bytes = SHA2Bits / 8;
/// <summary>
/// Size of SHA2Hash string
/// </summary>
public const int Length = SHA2Bytes * 2; // As in SHA2 as a string...
#endregion

    #region Properties
    /// <summary>
    /// Returns the SHA2 hash as a string
    /// </summary>
    public string SHA2data
        {
        get
            {
            StringBuilder sb = new StringBuilder(Length);
            foreach (byte b in \_SHA2Data)
                {
                sb.Append(b.ToString("x2"));
                }
            return sb.ToString();
            }
        }
    #endregion

    #region Constructors
    /// <summary>
    /// Constructs an SHA2 hash from a stream
    /// </summary>
    /// <param name="s">stream, data to construct SHA2 from</param>
    public SHA2Hash(Stream s)
        {
        SHA512 shaM = new SHA512Managed();
        \_SHA2Data = shaM.ComputeHash(s);
        }

    /// <summary>
    /// Constructs an SHA2 hash from a SecureString
    /// </summary>
    /// <param name="ss">SecureString, data to construct SHA2 from</param>
    public SHA2Hash(SecureString ss)
        {
        SHA512 shaM = new SHA512Managed();
        if (ss != null)
            {
            IntPtr ptr = Marshal.SecureStringToBSTR(ss);
            byte\[\] bs = Encoding.UTF8.GetBytes(Marshal.PtrToStringAuto(ptr));
            \_SHA2Data = shaM.ComputeHash(bs);
            Marshal.ZeroFreeBSTR(ptr);

AspDotNetDev

FYI, looks like you encoded your ending PRE tag. And you may want to specify a lang attribute on that PRE tag (though I'm sure the code will not be looked at... probably just copy/pasted... so perhaps that's a moot point).

[Forum Guidelines]

Lost User

Thanks Griff, just what I need.

txtspeak is the realm of 9 year old children, not developers. Christian Graus

Un Known Legend

Hi please check this link http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5.aspx thanks

PIEBALDconsult

See here[^].

Dan Mos

nice example. thanks :)