3

For my login system, I wish to hash the passwords in my database. So I decided I would read up on hashing and how to do it but unfortunately it doesn't really make any sense to me as I can't find examples for what I want.

I want it so that when a user account is created, the password is hashed and stored within my database and then when they login it hashes the login password and checks it with the hashed password in the database. If this makes any sense I'd appreciate the help.

If you need examples of my code or whatever then ask and I will edit it into my question.

Uwe Keim
  • 36,867
  • 50
  • 163
  • 268
imamage597
  • 87
  • 1
  • 2
  • 9
  • I suppose you mean to **encrypt** and **decrypt** your passwords? Maybe you were just looking up the wrong term ("hash"), which led to confusion? – Thorsten Kettner Nov 05 '15 at 14:06
  • There's a great answer [here](http://stackoverflow.com/a/10402129/3845456) which is probably what you want. – DrewJordan Nov 05 '15 at 14:09
  • @ThorstenKettner I am not sure, I read that you should hash rather than encrypt and decrypt? – imamage597 Nov 05 '15 at 14:21
  • My bad, sorry. Seeing DrewJordan's link and Reza Aghaei's answer, you are probably right. I simply didn't know that hashes were used to verify passwords. – Thorsten Kettner Nov 05 '15 at 14:33
  • If you are looking to hash and store that password in your database, then please also lookup salt. It makes the hash much more secure. – Huntt Nov 05 '15 at 15:01

1 Answers1

9

You can use a hash algorithm like MD5, SHA1, SHA265, SHA512, ... to hash the password. For example:

public string Hash(string password)
{
    var bytes = new UTF8Encoding().GetBytes(password);
    var hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(bytes);
    return Convert.ToBase64String(hashBytes);
}

Then store the hash of password in database and when you want to compare entered password with database stored value, compare hash of entered value with database value.

EDIT

Consider using the SHA256 or the SHA512 instead of the MD5:

public string Hash(string password)
{
    var bytes = new UTF8Encoding().GetBytes(password);
    byte[] hashBytes;
    using (var algorithm = new System.Security.Cryptography.SHA512Managed())
    {
        hashBytes = algorithm.ComputeHash(bytes);
    }
    return Convert.ToBase64String(hashBytes);
}

This is a just simple example: in a real-world scenario, you should use a salt for the hash as well. You can read more about salting here.

Community
  • 1
  • 1
Reza Aghaei
  • 103,774
  • 12
  • 145
  • 300
  • Simply and effectively! – c4pricorn Nov 05 '15 at 14:16
  • 1
    Is it OK to still use MD5 for this? I hear all kinds of things... – DrewJordan Nov 05 '15 at 14:19
  • @DrewJordan In general it is ok, but you can use other hash algorithms too, I said **hash algorithm like MD5** to leave the option of changing the algorithm for OP. And the OP looks for a good example. Here is a good and simple one ;) – Reza Aghaei Nov 05 '15 at 14:21
  • 1
    @DrewJordan No, bcrypt is definitely a much better choice. – Dmitry Savchenko Nov 05 '15 at 14:23
  • @DmitrySavchenko You are completely right but I think the question is about programming not security. – Reza Aghaei Nov 05 '15 at 14:24
  • I agree, this is a good, simple example. I'm no expert, but I read all over the place not to use MD5 anymore. While this is a good, clear example, it will lead the OP to use MD5. See [this](http://security.stackexchange.com/a/19908) for an example of what I mean. I just think, it would be a *better* answer, if you mentioned that MD5 is an *example* here, and we should use a different algorithm in production environments. – DrewJordan Nov 05 '15 at 14:24
  • How would I use this when creating a new account. Say I use a SQL command of "INSERT into [Database] (Username, Password, Role)..."? – imamage597 Nov 05 '15 at 14:25
  • 1
    @imamage597 Simply use parametric query and pass `Hash(passwordTextBox.Text)` as value of `@Password` – Reza Aghaei Nov 05 '15 at 14:26
  • 2
    @DrewJordan I added the sample code for using SHA512Managed. but for bcrypt the OP should use [BCrypt.Net](https://bcrypt.codeplex.com/) or [BCryptCreateHash](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375383(v=vs.85).aspx) windows api fnction. Hope you find it helpful. – Reza Aghaei Nov 05 '15 at 14:55
  • @DmitrySavchenko I added the sample code for using SHA512Managed. but for bcrypt the OP should use [BCrypt.Net](https://bcrypt.codeplex.com/) or [BCryptCreateHash](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375383(v=vs.85).aspx) windows api fnction. Hope you find it helpful. – Reza Aghaei Nov 05 '15 at 14:55
  • Awesome, I like it much better now. – DrewJordan Nov 05 '15 at 14:56
  • Thank you for your feedback :) – Reza Aghaei Nov 05 '15 at 14:59
  • @DrewJordan By your logic, we should also mention that we should use salt with a hash. Since that is strongly recommended in a production environment. – Huntt Nov 05 '15 at 15:03
  • @Huntt Yes it makes the hash more secure but I think the question is not about security and such questions can be asked in http://security.stackexchange.com :) – Reza Aghaei Nov 05 '15 at 15:05
  • 2
    @Reza Aghaei I disagree, the reason why someone would ask about hashing is for security, otherwise they just would've saved their passwords in plaintext. and how to hash pretty much belongs on SO. And if we are allready advising against MD5 for security reasons, it can't hurt to put readers on a good path all together and also advise them to consider using Salt for their hashes. – Huntt Nov 05 '15 at 15:12
  • @RezaAghaei I just added a sentence saying that, hope you don't mind :) – DrewJordan Nov 05 '15 at 15:13
  • @Huntt Thank you for your comment, I know what you mean and it is the reason that I respect the edit that DrewJordan made in answer to make it more useful for future readers :) Hope you find it useful too:) – Reza Aghaei Nov 05 '15 at 15:23
  • @DrewJordan It's OK :) hope it makes the answer more useful for future readers. – Reza Aghaei Nov 05 '15 at 15:24