C # password encryption

I found some code online that works well enough for what I'm trying to do. I need something that will encrypt the password, store it in the database, and retrieve it with ease. The code below does almost everything I am looking for.

        string UserName = txtUser.Text;
        string password = txtPass.Text;

        string encrKey = "keyvalue";
        byte[] byteKey = { };
        byte[] IV = {25, 47, 60, 88, 99, 106, 125, 139};
        byteKey = Encoding.UTF8.GetBytes(encrKey.Substring(0, 8));
        DESCryptoServiceProvider des = new DESCryptoServiceProvider();
        byte[] inputArray = Encoding.UTF8.GetBytes(password);

        MemoryStream ms = new MemoryStream();
        CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(byteKey, IV), CryptoStreamMode.Write);
        cs.Write(inputArray, 0, inputArray.Length);
        cs.FlushFinalBlock();
        password = Convert.ToBase64String(ms.ToArray());

        SqlCommand cmd = new SqlCommand("INSERT INTO USers (UserName, Password) VALUES (@UserName, @Password)", myConnection);
        cmd.CommandType = CommandType.Text;

        cmd.Parameters.AddWithValue("@UserName", UserName);
        cmd.Parameters.AddWithValue("@Password", password);

        SqlDataReader rdr = cmd.ExecuteReader();

      

The problem I am facing is code errors when the password is 8 characters or more. I am getting this error:

System.Security.Cryptography.CryptographicException: The specified key is not valid for this algorithm. The error is generated in the Cryptostream line.

Do I need to use a different type for my keys?

+2


source to share


5 answers


It is common practice not to encrypt the password in the database, but the hash code.
When a user tries to log in, you take their entered password, hash it and compare it to the hash stored in your db.

The standard hashing algorithm is SHA-1, which is readily available in .NET.



For even more security, you use salt in your hashing.

You can read more about this here: Salting Your Password: Best Practices?

+14


source


If you really need to flip encryption, just use the ProtectedData class: http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx

If the others here are correct, use a salted hash like in the example below. From " "



public sealed class PasswordHash
{
    const int SaltSize = 16, HashSize = 20, HashIter = 10000;
    readonly byte[] _salt, _hash;
    public PasswordHash(string password)
    {
        new RNGCryptoServiceProvider().GetBytes(_salt = new byte[SaltSize]);
        _hash = new Rfc2898DeriveBytes(password, _salt, HashIter).GetBytes(HashSize);
    }
    public PasswordHash(byte[] hashBytes)
    {
        Array.Copy(hashBytes, 0, _salt = new byte[SaltSize], 0, SaltSize);
        Array.Copy(hashBytes, SaltSize, _hash = new byte[HashSize], 0, HashSize);
    }
    public PasswordHash(byte[] salt, byte[] hash)
    {
        Array.Copy(salt, 0, _salt = new byte[SaltSize], 0, SaltSize);
        Array.Copy(hash, 0, _hash = new byte[HashSize], 0, HashSize);
    }
    public byte[] ToArray()
    {
        byte[] hashBytes = new byte[SaltSize + HashSize];
        Array.Copy(_salt, 0, hashBytes, 0, SaltSize);
        Array.Copy(_hash, 0, hashBytes, SaltSize, HashSize);
        return hashBytes;
    }
    public byte[] Salt { get { return (byte[])_salt.Clone(); } }
    public byte[] Hash { get { return (byte[])_hash.Clone(); } }
    public bool Verify(string password)
    {
        byte[] test = new Rfc2898DeriveBytes(password, _salt, HashIter).GetBytes(HashSize);
        for (int i = 0; i < HashSize; i++)
            if (test[i] != _hash[i])
                return false;
        return true;
    }
}

      

+2


source


Hashing passwords is much better than encryption. You store the hash of the password in the database and you don't need a normal text password anymore. When the user enters a login, you choose a plain text password, hash it, and compare the two hashes (i.e. the one in the database and the one you have hashed from the user input) for authentication. The obvious benefit is that you don't guarantee anyone - regardless of why they accessed the database - will know the original password (in theory).

+1


source


I suggest using bcrypt. source code is available http://code.google.com/p/bcryptnet/ download and use it. but before using it. read the documentation and understand how it works and why bcrypt ... this is important.

through my research for several weeks about password encryption. I finally found this bcrypt that best suits my needs. (i think this is best for password, correct me if i'm wrong)

it is one-way encryption. just like some drug programmers say, hash and compare, but not decrypt.

hope this helps you. if you find other interesting things please let me know XD world ~~

everything i said wrong correct me XD

+1


source


Try this instead:

var hash = Encoding.ASCII.GetBytes(password);
var sha1 = new SHA1CryptoServiceProvider();
var sha1hash = sha1.ComputeHash(hash);
var hashedPassword = Encoding.ASCII.GetString(sha1hash);

      

0


source







All Articles