best way to save passwords in SQL server?

  • Thread starter Thread starter Jassim Rahma
  • Start date Start date
J

Jassim Rahma

I want to know what's the best way to save passwords in SQL server using C#?
 
Jassim,

Honestly, don't. Saving passwords is a bad, bad idea. You are better
off creating a challenge/response mechanism.

However, if you have to save passwords, then encrypt the column, and
make sure that you secure the encryption key well. Here is some information
on how to encrypt a column of data:

http://msdn2.microsoft.com/en-us/library/ms179331.aspx
 
I want to know what's the best way to save passwords in SQL server using C#?

Use System.Security.Cryptography and convert password into hashes use
SHA1/MD5
 
Iapain said:
Use System.Security.Cryptography and convert password into hashes use
SHA1/MD5

Note that hashing algorithms are by nature one-way, meaning there isn't
a way to "unhash" something into a password again if you need to
retrieve it. Storing hashes is generally better, but it will mean that
should you ever actually need/want to see the password, you will be
unable to do so (easily, see below).

It used to be that hashes were viewed as offering more security in the
event of a system compromise but that's not necessarily true anymore
with the advent of Rainbow Tables and cheap disk space.

Chris.
 
Well, if you use a salt value then any attack using rainbow tables is
easily avoided.
 
Nicholas said:
Well, if you use a salt value then any attack using rainbow tables is
easily avoided.

Assuming they didn't already know the algorithm used. Salts do help, but
they don't invalidate rainbow tables -- just those using a different
algorithm to generate hash entries. Any way you slice it a total system
compromise is bad.

Chris.
 
thsn how can read it?

can you show an example on how to create the passowrd and read it back using
a login textbox?
 
Jassim said:
thsn how can read it?

can you show an example on how to create the passowrd and read it back
using a login textbox?

Nicholas already provided a response on this earlier when he told you
that it was a bad idea to save passwords, but if you absolutely must,
use an encrypted column of data. There's a link in that post that
explains it fairly well.

Chris.
 
Jassim said:
thsn how can read it?

can you show an example on how to create the passowrd and read it back
using a login textbox?

You would generate a hash of the password they entered in the textbox
and compare it to your stored hash, if they are equal then its the same
password.
Taking care to go through the same salting routine if used.

JB
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top