-1

I have no code to post as this is just a general question.

I currently have a web site where I have authentication setup. I have members of the site and I store their credentials in a database. This works perfectly fine. Common sense applies here and I do know that I shouldn't store user information as plain text. However, as I was researching things, I saw that hashing strings something quite easy to do. Throughout my development I saw that there is also a way to de-hash these passwords which led me to this question. Is just hashing the password enough? Should I be doing some kind of encryption along with it? What is the best practice? I haven't found any good information on the web...

string dec = FormsAuthentication.HashPasswordForStoringInConfigFile(Login1.Password, "SHA1"); Thanks in advance for any helpful input.

mwilson
  • 10,186
  • 5
  • 41
  • 72
  • 1
    Make sure you use a unique salt for each user, and try to use a password hashing algorithm instead of a (edit: purely) cryptographic one. Encryption isn't very useful as the decryption key needs to be stored on the same server as the data. If one is compromised, it's likely both will. – TheEvilPenguin Jun 17 '14 at 01:55
  • 2
    @TheEvilPenguin good hashing algorithms *are* cryptographic. – Andrew Savinykh Jun 17 '14 at 01:58
  • @zespri Good point, that was a bit misleading. I've made it sort of clearer. As someone has already posted a bcrypt implementation I glossed over that part a bit. – TheEvilPenguin Jun 17 '14 at 02:00
  • 2
    From your description it does not look like there is a necessity to reinvent the wheel. You can use standard .Net facilities like this one: [Crypto.HashPassword Method](http://msdn.microsoft.com/en-us/library/system.web.helpers.crypto.hashpassword%28v=vs.111%29.aspx) I'm not sure what exactly you refer to when you mention de-hashing as hash functions are made on purpose very difficult to reverse. – Andrew Savinykh Jun 17 '14 at 02:03
  • 2
    `de-hashing`: i.e. via brute-force, or preparing rainbow tables (huge dictionary look-ups of random strings to their hashed value) – Martin Konecny Jun 17 '14 at 02:10
  • 1
    Without any supporting links "also a way to de-hash these passwords" (which whole question is based on) this question does not look a bit weak. There are many questions discussing the issues like http://stackoverflow.com/questions/12657792/how-to-securely-save-username-password-local?lq=1. It is also somewaht hard to belive that there is no information on [C# hash password](http://www.bing.com/search?q=c%23+hash+password) on the internet... [Hashing passwords - MSDN Magazine, 2003](http://msdn.microsoft.com/en-us/magazine/cc164107.aspx) may be a start... – Alexei Levenkov Jun 17 '14 at 02:35
  • 1
    You should give me a +1 for my question then :) – mwilson Jun 17 '14 at 02:40

1 Answers1

5

You will want to take a look at bcrypt, as hash functions although reasonably secure (as long as you salt your inputs!), become weaker over time.

The key to the bcrypt algorithm is that the difficulty is configurable and so this method scales even as computers become more and more powerful:

Cryptotheoretically, this is no stronger than the standard Blowfish key schedule, but the number of rekeying rounds is configurable; this process can therefore be made arbitrarily slow, which helps deter brute-force attacks upon the hash or salt.

An implementation of bcrypt for C# is available here.

Martin Konecny
  • 50,691
  • 18
  • 119
  • 145
  • 3
    and you want to add some salt so that two people with the same password (in your system or across systems) don't end up with the same hash. – Thilo Jun 17 '14 at 01:55