Password Encryption

In this article we will discuss why Password encryption is important and how to do it.

In many web site user authentication is done and this authentication is taken care by using user name and password to verify user details to allow him to perform different operations using the web site. The most import thing here is, if you store the user password in plain text and then validate it when user enters the credential in order to perform different activities then you are basically compromising the user on your web site and also on other web sites as user can use the same password for other web sites as well. This should not be the case. So, what is the best way to handle this problem. The answer to this is ENCRYPTION.

The encryption also should be One-Way encryption. What does one way encryption means? One way encryption means non-reversible (will never decrypt), even by us also.

The best technique to achieve this is to hash the password using Hashing Algorithm.

i.e. Same inputs + same hashing algorithm = same output.

The logic to implement and validate involve below steps:

1) Encrypt the user password using hashing algorithm and then store it.

2) Encrypt the user attempted password for authentication and then compare against the stored password.

Below is the list of few hashing algorithm available:

  • MD5
  • SHA-1
  • SHA-2 (SHA-256, SHA-512)
  • Whirlpool
  • Tiger
  • AES
  • Blowfish

Example using C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            string strPass = HashString("Password1");
        }

        public static string HashString(string strPass)
        {
            byte[] b = ASCIIEncoding.ASCII.GetBytes(strPass);
            SHA1 sh = new SHA1CryptoServiceProvider();
            sh.ComputeHash(b);
            byte[] hsh = sh.Hash;
            string pass = "";
            for (int i = 0; i < hsh.Length; i++)
            {
                //change it into 2 hexadecimal digits
                //for each byte
                pass += hsh[i].ToString("x2");
            }
            return pass;
        }
    }
}

Note*: In order to implement Hashing you need add the reference of System.Security dll and import/use System.Security.Cryptography namespace.

Advertisements

#encryption