C# Security: How do I secure a user password? [duplicate] - c#

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to store password in database
does anyone know a way to secure a password that the user is creating on the site which is then saved in a database table?
The passwords are currently stored as Plain text, I know..I Know!
Thanks

The standard answer goes like this:
Do not store passwords in clear text. Store hashed versions of passwords. When you hash passwords - choose appropriate hashing algorithm and use unique salt values as well.
http://www.troyhunt.com/2011/06/owasp-top-10-for-net-developers-part-7.html
Also PLEASE read this.
http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
Some hashing algorythms are too fast (or too easy to break using modern computing power). Use password hashing algoritms (like scrypt).

Salt the password using a per-record salt (i.e. all users use a different salt based on some piece of user information). Than take this salted password and hash it using some hashing algorithm such as an SHA hash.
See for example Hash and salt passwords in C#

You can secure a password by hashing it

You can hash it using md5 encrypt.

Related

Decode SHA256 to string [duplicate]

This question already has answers here:
Decrypt from SHA256
(3 answers)
Closed 8 months ago.
How can I decode SHA256 in c#?
I tested an online SHA256 Decrypt website and it worked.
Is it possible in c#?
https://10015.io/tools/sha256-encrypt-decrypt
On the website we can read
SHA256 is a hashing algorithm. There is no direct method for SHA256 decryption. SHA256 is decrypted by using Trial & Error methodology. It may take some time if either the text that will be decrypted or the character set that will be used for decryption is long.
Basically a hash function (such as sha256) is irreversible. You cannot retrieve the inputs given a hash (that's why it's widely used for security purposes).
In order to perform a "decryption", you only have one way to go : guess and check. That what the website does [...] SHA256 is decrypted by using Trial & Error methodology [..].

Lua or C equivalent to System.Web.Helpers.Crypto.VerifyHashedPassword [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm looking for the Lua or C equivalent to the .NET method System.Web.Helpers.Crypto.VerifyHashedPassword. The issue I'm solving for is the password hash being created by a .NET application but need to have a Lua application handle the authentication.
The source for the .NET class is available here but it seems this will get fairly deep and difficult quickly to rebuild in either Lua or C.
Existing crypto libraries in Lua didn't appear to solve this issue.
Any help is appreciated!
I don't think there's an exact equivalent implementation available for Lua. From looking at the C# implementation it's well documented so it shouldn't be too hard to port the implementation over to Lua or C.
The good news is that the crypto primitives used in the .NET implementation is available so you don't need to rewrite those parts. In particular, you'll need:
PBKDF2 key derivation function from rfc2898.
SHA1 used by PBKDF2 as the underlying hashing function. Depending on your requirements you may want SHA256 in there too but PBKDF2 itself is designed to be hash function agnostic. SHA1 is the default used if going by rfc2898 specs.
Base32/64 encoding decoding functions. From looking at the source the hashedPassword is expected to be in base64.
Also pay attention to this important comment:
/* =======================
* HASHED PASSWORD FORMATS
* =======================
*
* Version 0:
* PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
* (See also: SDL crypto guidelines v5.1, Part III)
* Format: { 0x00, salt, subkey }
*/
Now there are a couple of PBKDF2 lua implementations out there:
https://github.com/moteus/lua-bgcrypto-sha/blob/master/src/lua/pbkdf2.lua
https://github.com/bungle/lua-resty-nettle/blob/master/lib/resty/nettle/pbkdf2.lua
For base encoding utilities check out https://github.com/aiq/basexx for a pure lua implementation.
The framework you linked does provide some rudimentary test vectors in the crypto unittest here. You can use that to test your own implementation to make sure it has the same behavior.
I did write my own PBKDF2 implementation in pure lua as an exercise in wifi WPA cracking. If you're interested in it, I can share it.
Take any library/code/whatever, say, https://www.gnu.org/software/libc/manual/html_node/crypt.html (the first result on google for 'c md5 library') Then simply hash the input password (important: same hash alg as the password is encrypted with. Probably an md5, as I guessed above - if it's not md_5 - well, you have the source code to it, figure out what alg it is) and compare the byte arrays - if they exactly match, then the password is either correct or a collision at least - if they don't exactly match, the password is wrong.

Encrypted form of letters from w to ~ is stored as ? in sql server [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I am encrypting the password and storing the encrypted password in the database. The Key for encryption is 8. For example, if my password is abc, then the encrypted form of abc will be ijk which is stored in the database. Till the letter v, this is working properly. The ASCII value of v is 118. So, 118+8=126 i.e; ~ will be stored as the encrypted form of v. But, from the letter w till the ~ i.e; from 119 to 126, the encrypted form of these letters stored in database is ?. Is there any better way to encrypt these 8 letters?
I am encrypting the password and storing the encrypted password in the database.
Also known as "doing it wrong". You do not encrypt and store passwords. You should cryptographically hash them (with salt).
The Key for encryption is 8. For example, if my password is abc, then the encrypted form of abc will be ijk which is stored in the database.
That is not encryption; it is barely obfuscation.
Is there any better way to encrypt these 8 letters?
If you want to store non-text characters, either use a varbinary(...) or use base-64 to store arbitrary binary as string data (the first is more efficient).
However, it must be emphasized that your current process is very very wrong, and you shouldn't be doing that. I'm reluctant to help you make such a fundamental security mistake.
The correct thing to do here is to use a well-known, reliable secure hashing function (with salt), and hash the password, storing only the hash. To test a password, you run the same hashing algorithm (and same salt) against what the user enters, and compare the hashes. You should not, even with god access and knowledge of all the magic numbers, be able to decrypt password data to recover the actual password.

which algorithm preferred for hashing passwords C#? [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
What algorithm should I use to hash passwords into my database?
I am new to this hashing on password. I read the hashing + salt make passwords really safe. But still confused which hashing algorithm should I use as there are many like.
MD5CryptoServiceProvider
SHA1Managed
SHA256Managedetc.
How can I decide which one is good for me or all are equal. Can I pick up anyone blindly?
MD5:
In 1996, a flaw was found with the design of MD5, and while it was
not a clearly fatal weakness, cryptographers began recommending the
use of other algorithms, such as SHA-1—which has since been found to
be vulnerable as well.
SHA1:
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the
algorithm might not be secure enough for ongoing use
SHA2 which SHA256 is a type of does not have a known vulnerability as of the moment of writing.
Fast hash algorithms like MD5, SHA-1 or even SHA-256 are not good choices to hash passwords, because they are much too fast and can be brute-forced too easily. One can calculate about 3 Giga SHA-1 values per second with common hardware in 2013.
Instead you can use a slow key-derivation function like BCrypt or PBKDF2. CSharp has native support for PBKDF2, it can be implemented with the Rfc2898DeriveBytes class, an example you can find here.
Also easy to use is this BCrypt library. Often people are not sure if it is safe to use such libraries, but i don't think there are arguments against using it. As long as the library returns the correct value and generates the salt correctly, it should be fine, because the security comes from the algorithm and not from the implementation.
MD5 is considered crackable. SHA1 is good but maybe crackable. SHA256 is good.
https://security.stackexchange.com/questions/5586/why-do-people-think-that-this-is-bad-way-to-hash-passwords
SHA1 vs md5 vs SHA256: which to use for a PHP login?
Is SHA-1 secure for password storage?

Excellent Encryption for String Type Data [duplicate]

This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
How to encrypt a string in .NET?
Which one is the most excellent and toughest encryption for String type data in C#..
That really depends on your exact requirements.
Most modern encryption algorithms are probably more than strong enough for your needs if you use them properly.
The weak point in your system will not be the encryption algorithm itself. Almost every other aspect of your setup will be more vulnerable to attack than the algorithm.
My primary answer is "it depends upon what you're doing with that string". This question (and answers) will guide you...
.NET Secure Memory Structures
... but it depends if you're encyrpting/security that string in memory, how you're persisting it, how you intend using that string and how you intend disposing of it.
These SO questions touch on these topics too..
How to encrypt a string in .NET?
What's the best way to encrypt short strings in .NET?
... and contain useful links.
That would be a one-time pad. If correctly implemented it's been proved to be impossible to crack but an OTP is most probably not a viable option for you.
RSA encryption is very secure and .NET supports it. But since asymmetric encryption is only designed for encrypting data smaller than it's key size it's often not a great choice for encryption of arbitrary strings. That leads us to block ciphers and among those I would recommend AES.

Categories