C # Reading encrypted passwords

Question

C # Reading encrypted passwords

I use the code below to save the password in the registry, how to convert it? The code below is not mine, but it encrypts well.

thanks

using System.Security.Cryptography; public static string EncodePasswordToBase64(string password) { byte[] bytes = Encoding.Unicode.GetBytes(password); byte[] dst = new byte[bytes.Length]; byte[] inArray = HashAlgorithm.Create("SHA1").ComputeHash(dst); return Convert.ToBase64String(inArray); }

+4

c # hash

Jason stevens Nov 06 '08 at 15:25

source share

11 answers

yfeldblum · Answer 1 · 2008-11-06T15:28:57+0000

SHA1 is a hashing algorithm, not an encryption algorithm. A hash algorithm is a one-way function that converts data into a hash of that data, but the original data cannot be returned from the hash. The encryption algorithm is a two-way function that converts data into encrypted data, and then the encrypted data can be converted back to the original data.

Bradley grainger · Answer 2 · 2008-11-06T15:54:03+0000

To safely store a password so that it can be read, use the ProtectedData class.

 public static string ProtectPassword(string password) { byte[] bytes = Encoding.Unicode.GetBytes(password); byte[] protectedPassword = ProtectedData.Protect(bytes, null, DataProtectionScope.CurrentUser); return Convert.ToBase64String(protectedPassword); } public static string UnprotectPassword(string protectedPassword) { byte[] bytes = Convert.FromBase64String(protectedPassword); byte[] password = ProtectedData.Unprotect(bytes, null, DataProtectionScope.CurrentUser); return Encoding.Unicode.GetString(password); }

Lazarus · Answer 3 · 2008-11-06T15:28:18+0000

Take what the user enters as a password to gain access to the system, encrypt it in the same way, and then compare the encrypted values as the usual approach. I am sure that SHA1 is hatch-based encryption, i.e. Cannot be tracked.

blowdart · Answer 4 · 2008-11-06T15:29:20+0000

No.

SHA1 is a hash, not encryption. This is a one-way operation; rear change is not possible.

(Well, this is not entirely true, if you have a table of possible SHA1 values and plain text values, a rainbow table, then you might be lucky)

You should also salt your hashes because you are vulnerable to attacks with a rainbow table right now. Jeff talks a little more about this on his blog.

Duncan · Answer 5 · 2008-11-06T15:29:39+0000

Okay, so I know this does not answer your specific Q question, but why do you want to return it?

When compared to provide authentication, the standard approach is to encrypt this text ALSO and compare the saved password with the password provided.

This is safer as it means that the original password never needs to be decrypted.

Giovanni galbo · Answer 6 · 2008-11-06T15:28:20+0000

I think one of the points of using hashes is that they cannot be calculated back.

As someone else said, calculate the hash from the user's password and compare with the stored hash value.

Crystal · Answer 7 · 2008-11-06T19:02:44+0000

To use the System.Security.Cryptography.ProtectedData class, you must add a reference to System.Security in your project.

(Right-click on the "Links" folder, select "Add Link ...", find "System.Security" on the .NET tab)

Kevin · Answer 8 · 2008-11-06T15:37:35+0000

Um, just curious, but won't the same hash return for all passwords of the same length?

Jesse C. Slicer · Answer 9 · 2008-11-06T16:01:25+0000

Using your own snippet of code above, what you want to do is call this method when the user initially selects a password, but adds to the password what is called salt somewhere in the password line (usually at the beginning or at the end). Then, when the user tries to authenticate later, they enter their password, you start it with the hash through the same method, and if these two hashes are equal, this is a statistically different chance that the passwords are equal and valid.

As said, SHA1, as you know, has weaknesses, and you should choose a stronger algorithm. If you want to stay in the SHA family, SHA512 is very good.

DancesWithBamboo · Answer 10 · 2008-11-06T16:44:44+0000

You want to use encryption, not hashing. SHA is excellent, but encryption methods are used for this. The problem with encryption is always where to put the key for it. You did not mention whether it was the workstation or the server on which you did it. On the server, I find it better to just use an ACL to restrict access to the reg register. Administrators can usually access the encryption key anyway ... you must have some kind of trust. On a workstation, you can use encryption and store the key in code or use a certificate and restrict access to it, at least in a corporate environment ... not for selling software).

You can use the ProtectedData class, but keep in mind that it uses user profiles to use the key, and so you need to make sure that you impersonate a user who has a profile using the key you need. This may or may not be trivial and may or may not cause headaches and security problems.

Chris · Answer 11 · 2008-12-30T02:29:15+0000

I noticed a recent addition of the XMLEncryptedData class. For encrypting data in an XML file, is the XMLEncryptedData method more desirable than the DPAPI method?

C # Reading encrypted passwords

More articles: