Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Simple password encryption c#
New Posts  All Forums:Forum Nav:

Simple password encryption c#

post #1 of 35
Thread Starter 
Hi All,

I am looking for a simple way to hash passwords for storage in a local DB.

Below is the code that saves the data from the form to the database
Code:
db.Entry(Newuser).State = System.Data.EntityState.Added;
                db.SaveChanges();

Can I grab the password from the Newuser object hash it then put it back into the object before its written to the database? or can it be hashed before it becomes a part of the object?

I want to do this in the most simple way possible, there are lots of articles online about hashing and salting but I don't need anything that complex.
Mid range build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k P8Z77-V ASUS ROG RX480 Corsair 8GB 2x 2GB + kingston hyperx 16gb 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD 500gb none corsair H80 windows 7 64 
MonitorPowerCaseMouse
Samsung s22b360 corsair tx 750 m NZXT phantom 410 (GM) logitech G400 
  hide details  
Reply
Mid range build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k P8Z77-V ASUS ROG RX480 Corsair 8GB 2x 2GB + kingston hyperx 16gb 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD 500gb none corsair H80 windows 7 64 
MonitorPowerCaseMouse
Samsung s22b360 corsair tx 750 m NZXT phantom 410 (GM) logitech G400 
  hide details  
Reply
post #2 of 35
Thread Starter 
I have decided to use the following

http://www.phibui.com/blog/post/2013/03/24/Simple-way-to-encrypt-and-decrypt-password-or-data-in-ASPNET-C-.aspx
Mid range build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k P8Z77-V ASUS ROG RX480 Corsair 8GB 2x 2GB + kingston hyperx 16gb 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD 500gb none corsair H80 windows 7 64 
MonitorPowerCaseMouse
Samsung s22b360 corsair tx 750 m NZXT phantom 410 (GM) logitech G400 
  hide details  
Reply
Mid range build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k P8Z77-V ASUS ROG RX480 Corsair 8GB 2x 2GB + kingston hyperx 16gb 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD 500gb none corsair H80 windows 7 64 
MonitorPowerCaseMouse
Samsung s22b360 corsair tx 750 m NZXT phantom 410 (GM) logitech G400 
  hide details  
Reply
post #3 of 35
I would strongly advise against using Base64 for "encryption". Base64 only obfuscates the string. It does not encrypt it at all. Any hacker worth their salt will immediately know what is going on and break the "encryption".

Use a real encryption algorithm such as SHA. Make sure to salt your strings as well for better security against rainbow attacks. Here is an example taken from one of my projects.
Code:
public static String EncryptPassword(String password, String salt)
        {
            String encryptedPassword = "";
            String saltedPassword = password + salt;

            HashAlgorithm algorithm = new SHA512Managed();

            byte[] hash = algorithm.ComputeHash(Encoding.Unicode.GetBytes(saltedPassword));

            foreach(byte b in hash)
            {
                encryptedPassword += b.ToString("X2");
            }

            return encryptedPassword;
        }
Deimos (G4.P)
(18 items)
 
 
Arcturus (G4.S)
(9 items)
 
CPUMotherboardGraphicsRAM
Intel i7 5930K @ 4.3 Ghz ASUS X99 Deluxe II eVGA Titan X SC (1420/3900) 64GB Corsair Vengeance DDR4/2800 
Hard DriveHard DriveHard DriveCooling
Intel 750 400GB Samsung 850 Pro 512GB Samsung 850 Evo 1TB HEATKILLER IV PRO CPU Block 
CoolingOSMonitorKeyboard
HEATKILLER IV XL GPU Block Windows 8.1 Pro Dell P2715Q Corsair K95 RGB 
PowerCaseMouseAudio
Corsair AX860i Silverstone Fortress 2 Silver eVGA TORQ X10 Carbon Denon AVR-S510BT 
AudioAudio
JBL Studio 530 Dayton SUB-120 
CPUMotherboardGraphicsRAM
Intel i5 4670k @ 4.0 Ghz ASUS Z87-PRO eVGA Titan X SC (1435/4000) 32GB Corsair Vengeance DDR3/2400 
Hard DriveHard DriveCoolingOS
Samsung 850 Evo 1TB Samsung 850 Pro 512GB Noctua NH-U14S Windows 8.1 Pro 
MonitorKeyboardPowerCase
Dell P2415Q 24" 4K Display Corsair K90 RGB (MX Brown) SeaSonic M12II 850W SilverStone FT02S-W 
MouseMouse PadAudioAudio
eVGA Torq X10 Carbon eVGA Torq X10 Pad JBL Studio 530 Dayton SUB-120 12" Subwoofer 
CPUMotherboardRAMHard Drive
Intel Xeon D-1521 Supermicro X10SDV-4C-TLN2F 64GB Corsair Vengeance DDR4/2133 Samsung 850 Evo 500GB 
Hard DriveCoolingOSPower
Samsung 850 Evo 1TB bequiet! Silent Wings 2 120mm Windows Server 2016 Datacenter Corsair SF450 
Case
Fractal Design Node 202 
  hide details  
Reply
Deimos (G4.P)
(18 items)
 
 
Arcturus (G4.S)
(9 items)
 
CPUMotherboardGraphicsRAM
Intel i7 5930K @ 4.3 Ghz ASUS X99 Deluxe II eVGA Titan X SC (1420/3900) 64GB Corsair Vengeance DDR4/2800 
Hard DriveHard DriveHard DriveCooling
Intel 750 400GB Samsung 850 Pro 512GB Samsung 850 Evo 1TB HEATKILLER IV PRO CPU Block 
CoolingOSMonitorKeyboard
HEATKILLER IV XL GPU Block Windows 8.1 Pro Dell P2715Q Corsair K95 RGB 
PowerCaseMouseAudio
Corsair AX860i Silverstone Fortress 2 Silver eVGA TORQ X10 Carbon Denon AVR-S510BT 
AudioAudio
JBL Studio 530 Dayton SUB-120 
CPUMotherboardGraphicsRAM
Intel i5 4670k @ 4.0 Ghz ASUS Z87-PRO eVGA Titan X SC (1435/4000) 32GB Corsair Vengeance DDR3/2400 
Hard DriveHard DriveCoolingOS
Samsung 850 Evo 1TB Samsung 850 Pro 512GB Noctua NH-U14S Windows 8.1 Pro 
MonitorKeyboardPowerCase
Dell P2415Q 24" 4K Display Corsair K90 RGB (MX Brown) SeaSonic M12II 850W SilverStone FT02S-W 
MouseMouse PadAudioAudio
eVGA Torq X10 Carbon eVGA Torq X10 Pad JBL Studio 530 Dayton SUB-120 12" Subwoofer 
CPUMotherboardRAMHard Drive
Intel Xeon D-1521 Supermicro X10SDV-4C-TLN2F 64GB Corsair Vengeance DDR4/2133 Samsung 850 Evo 500GB 
Hard DriveCoolingOSPower
Samsung 850 Evo 1TB bequiet! Silent Wings 2 120mm Windows Server 2016 Datacenter Corsair SF450 
Case
Fractal Design Node 202 
  hide details  
Reply
post #4 of 35
Do you want encryption, hashing or encoding?

These are my choices:

Encryption - Blowfish or AES
Hashing - SHA256
Encoding - Base64
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
post #5 of 35
Thread Starter 
Quote:
Originally Posted by SchmoSalt View Post

I would strongly advise against using Base64 for "encryption". Base64 only obfuscates the string. It does not encrypt it at all. Any hacker worth their salt will immediately know what is going on and break the "encryption".

Use a real encryption algorithm such as SHA. Make sure to salt your strings as well for better security against rainbow attacks. Here is an example taken from one of my projects.
Code:
public static String EncryptPassword(String password, String salt)
        {
            String encryptedPassword = "";
            String saltedPassword = password + salt;

            HashAlgorithm algorithm = new SHA512Managed();

            byte[] hash = algorithm.ComputeHash(Encoding.Unicode.GetBytes(saltedPassword));

            foreach(byte b in hash)
            {
                encryptedPassword += b.ToString("X2");
            }

            return encryptedPassword;
        }

I see how this would encrypt the password but how could you validate against this at the log on?
Mid range build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k P8Z77-V ASUS ROG RX480 Corsair 8GB 2x 2GB + kingston hyperx 16gb 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD 500gb none corsair H80 windows 7 64 
MonitorPowerCaseMouse
Samsung s22b360 corsair tx 750 m NZXT phantom 410 (GM) logitech G400 
  hide details  
Reply
Mid range build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k P8Z77-V ASUS ROG RX480 Corsair 8GB 2x 2GB + kingston hyperx 16gb 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD 500gb none corsair H80 windows 7 64 
MonitorPowerCaseMouse
Samsung s22b360 corsair tx 750 m NZXT phantom 410 (GM) logitech G400 
  hide details  
Reply
post #6 of 35
Or the condensed version
Code:
public static string hash(string password, string salt)
{
    return BitConverter.ToString(new SHA512Managed().ComputeHash(Encoding.Unicode.GetBytes(password+salt))).Replace("-", "");
}

Quote:
Originally Posted by ipv89 View Post

I see how this would encrypt the password but how could you validate against this at the log on?

It's not encrypted, it's hashed. You store the hashed password (along with the salt) in your db. When you're going to authenticate a user you take whatever password they input + the salt from the DB and then compute the hash and compare the result to what's in your DB. If it matches, password = correct. Make sure you don't use the same salt. ideally, all of them should differ.
post #7 of 35
The minimum you really want to be using these days is SHA512 (SHA256 is secure at the moment - but I can see that being argued as not computationally intensive enough within the next couple of years - so you're better off futureproofing yourself now). Personally I'd recommend bcrypt or scrypt the password before SHA512 hashing it.

Contrary to what others have said on here, avoid SHA1. Also avoid MD5 (not mentioned here but a bizarrely popular choice).

Lastly, base64 is just a number base - like hexadecimal. Where base64 comes into it's own is displaying binary data as ASCII (which is why it's commonly used in email). Your encrypted passwords should be stored as base64, but do not use base64 as encryption because it's only a number base and thus trivially reversable to ASCII character codes. So use bcrypt / SHA512 then base64 encode the result (if your encryption / hashing libraries do not do this automatically) and store that in your db.
post #8 of 35
The best method, is as mentioned, to use a salted hash.
You hash the password with the salt (which should be randomized upon creation), and save the hash along with the salt.
Then, every time you verify a users password, you do the exact same thing and compare the hashes.

The hash should be computationally expensive, and have a reasonably high collision resistance.
bcrypt is probably the most favored in both of those aspects, and has a NuGet package if you want to use that in C#. It's a hashing algorithm intended to be used with passwords. SHA2 or variants (e.g. SHA256) are theoretically compromised, but there have been no real incidents of a collision (yet).

I really suggest you read some online articles about storing passwords properly, since it's easy to get wrong:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
#well
(19 items)
 
Lenovo L530
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 4770k Gigabyte Z87X-UD4H XFX Radeon HD 6950 Corsair CMX8GX3M2A2000C9 
Hard DriveHard DriveOptical DriveCooling
Samsung EVO 840 Hitachi HDS722020ALA330 Generic DVD±RW Burner Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 8.1 Dell U2711 LG W2453 Ducky DK9008 Overclock.net Edition, Cherry MX B... 
PowerCaseMouseMouse Pad
Corsair TX850 Antec Three Hundred Corsair Raptor M40 QPAD HeatoN M 
AudioAudioAudio
E-MU Tracker|pre Beyerdynamic DT-770 250 Ohm AntLion ModMIc 
CPUGraphicsRAMRAM
Intel Ivy Bridge 3210M Intel HD 4000 Graphics Soldered Corsair Vengeance  
Hard DriveOptical DriveOSMonitor
500GB DVD-+RW Windows 7 Professional 1600x900 
  hide details  
Reply
#well
(19 items)
 
Lenovo L530
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 4770k Gigabyte Z87X-UD4H XFX Radeon HD 6950 Corsair CMX8GX3M2A2000C9 
Hard DriveHard DriveOptical DriveCooling
Samsung EVO 840 Hitachi HDS722020ALA330 Generic DVD±RW Burner Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 8.1 Dell U2711 LG W2453 Ducky DK9008 Overclock.net Edition, Cherry MX B... 
PowerCaseMouseMouse Pad
Corsair TX850 Antec Three Hundred Corsair Raptor M40 QPAD HeatoN M 
AudioAudioAudio
E-MU Tracker|pre Beyerdynamic DT-770 250 Ohm AntLion ModMIc 
CPUGraphicsRAMRAM
Intel Ivy Bridge 3210M Intel HD 4000 Graphics Soldered Corsair Vengeance  
Hard DriveOptical DriveOSMonitor
500GB DVD-+RW Windows 7 Professional 1600x900 
  hide details  
Reply
post #9 of 35
Quote:
Originally Posted by gonX View Post

You hash the password with the salt (which should be randomized upon creation), and save the hash along with the salt.

This x1000.

No salt = vulnerable to rainbow tables, terrible
Single salt = not really vulnerable to rainbow tables (if done correctly with a strong salt), decent but brute forcing mass passwords is easy with a single salt
Random salt = not really vulnerable to rainbow tables (if done correctly with a strong salt), amazing because now every single password must be brute forced which is very computationally expensive
post #10 of 35
Quote:
Originally Posted by gonX View Post

The best method, is as mentioned, to use a salted hash.
You hash the password with the salt (which should be randomized upon creation), and save the hash along with the salt.
Then, every time you verify a users password, you do the exact same thing and compare the hashes.

The hash should be computationally expensive, and have a reasonably high collision resistance.
bcrypt is probably the most favored in both of those aspects, and has a NuGet package if you want to use that in C#. It's a hashing algorithm intended to be used with passwords. SHA2 or variants (e.g. SHA256) are theoretically compromised, but there have been no real incidents of a collision (yet).

I really suggest you read some online articles about storing passwords properly, since it's easy to get wrong:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/

Collision attacks aren't an issue with SHA2. The issue is rainbow tables (which can be mitigated with unique salts - so you were right to recommend that) and brute force attacks. Which is why I advocate SHA512 as it's more computationally expensive.

It's also worth mentioning that SHA256 isn't a variant of SHA2. SHA256 is SHA2. SHA2 is a set of 6 cryptographic hash functions, including SHA256 and SHA512.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Coding and Programming
Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Simple password encryption c#