I am creating an ASP.Net website for first time and I want to store the password of login page into the database in any encoded format not directly as it is. But encryption and decryption should occur automatically.
Any suggestion for this ??
-
3Passwords should be hashed, with salt - not encrypted.Tim– Tim2012-10-12 04:57:07 +00:00Commented Oct 12, 2012 at 4:57
Add a comment
|
1 Answer
Decryption of the stored password should not be possible for security reasons. If the user tries to authenticate, "encrypt" the entered password again and compare it to the value in the database.
The mathematical method to do this is called a cryptographic hash function. To protect against rainbow table attacks, the hash should also be salted.
If you want to implement this yourself, there are lots of questions here on SO on how to do this with .NET. Here are a few of them:
- Hash and salt passwords in C#
- How to salt and hash a password value using c#?
- Hashing passwords with MD5 or sha-256 C#
On the other hand, since you are using ASP.NET, you could make your life easier and just use the built-in ASP.NET membership provider, which already does all the necessary security stuff. Here's an MSDN article to get you started:
