This message was discovered on microsoft.public.dotnet.framework.
| Harris Boyce III |
Hello -
I'm looking for a way to store passwords in a SQL Server database using
encrytion. My thoughts are that when a user creates a new account the
password is sent and encrypted using SHA1 or something of that sort and then
stored in the database. When the user then sends the password to login,
it's encrypted using the same method and then compared. I don't know if
this is possible or not and I'd extremely appreciate examples, pointers,
etc. if at all possible. I am also wondering what the best data type would
be to store the encrypted data.
Thank you for your time.
- Harris Boyce
|
|
|
| |
|
| |
| |
| Jason S. |
Yes this is possible... look in the System.Web.Security.FormsAuthentication
namespace.
"Harris Boyce III" <Click here to reveal e-mail address> wrote in message
news:#bqayu7TBHA.1860@tkmsftngp05...
[Original message clipped]
|
|
|
| |
|
| |
|
| |
| Michael Giagnocavo |
Yes, this is very possible. I did it using MD5. I manage everything as
Base64, as I had bugs when passing the data around to different sites.
Here are my MD5 functions:
Public Function ComputeMD5Hash(ByVal s As String, Optional ByRef MD5 As
MD5CryptoServiceProvider = Nothing) As String
If MD5 Is Nothing Then
Return ToBase64String(New
MD5CryptoServiceProvider().ComputeHash(ASCII.GetBytes(s)))
Else
Return ToBase64String(MD5.ComputeHash(ASCII.GetBytes(s)))
End If
End Function
Public Function CompareStringToHash(ByVal sString As String, ByVal sHash As
String, Optional ByRef MD5 As MD5CryptoServiceProvider = Nothing) As Boolean
If MD5 Is Nothing Then
Return Equals(ToBase64String(New
MD5CryptoServiceProvider().ComputeHash(ASCII.GetBytes(sString))), sHash)
Else
Return Equals(ToBase64String(MD5.ComputeHash(ASCII.GetBytes(sString))),
sHash)
End If
End Function
I store the data in a char(24).
-mike
"Harris Boyce III" <Click here to reveal e-mail address> wrote in message
news:#bqayu7TBHA.1860@tkmsftngp05...
[Original message clipped]
|
|
|
| |
|
|
| |
| |
| Harris Boyce III |
Thanks for your help.
I wasn't sure if I was on the right track or not and everything seems to be
working fine. I basically synthesized what you gave me and what Mr. Pratt
provided in C#. Thanks again.
- Harris Boyce
"Michael Giagnocavo" <Click here to reveal e-mail address> wrote in message
news:#YRJY1DUBHA.1524@tkmsftngp05...
[Original message clipped]
|
|
|
| |
|
| |
|
|
| |
| Phillip Pratt |
What you are talking about is hashing, not encrypting. A hash algorithm is a
one-way function (There's no way to get the original back from the hash), an
encryption algorithm is a two-way function. Other than that distinction,
though what you are doing is the way to go. A hash is the appropriate method
for storing passwords because there is never a reason to get back the
original. Also with a hash function, the output size is predetermined and
independent of the input size (20 Bytes in the case of SHA1). This makes
choosing a datatype in a database pretty easy. And as far as hashing
algorithms go, SHA1 is a good one.
Here's an example using a text box to get the input value:
UnicodeEncoding enc = new UnicodeEncoding();
byte[] plainbytes = enc.GetBytes(textBox1.Text);
SHA1 sha = new SHA1CryptoServiceProvider();
byte[] result = sha.ComputeHash(plainbytes);
You may want to then encode the result byte array to some sort of text
encoding (Base64 perhaps?) or just leave it as a byte array for storage.
Hope this helps.
"Harris Boyce III" <Click here to reveal e-mail address> wrote in message
news:#bqayu7TBHA.1860@tkmsftngp05...
[Original message clipped]
|
|
|
| |
|
| |
|
| |
| Pablo Castro |
Take a look at the CryptoStream class. It'll allow you to both encrypt and
decrypt data using I/O streams (if you don't want files, just use
MemoryStream as you undelying stream).
About the SQL data type...you can simple encode de encrypted password in
some textual format (i.e. Base64, CryptoStream can do that for you) and
store it in a VARCHAR field.
--
Pablo Castro [MVP]
Lagash Systems S.A.
"Harris Boyce III" <Click here to reveal e-mail address> wrote in message
news:#bqayu7TBHA.1860@tkmsftngp05...
[Original message clipped]
|
|
|
| |
|
|
| |
|
|
|
|
|
