Secure user password storage

W

Weageoo2011-04-20 22:46:49

.NET

Weageoo, 2011-04-20 22:46:49

There is an application in C# .NET. It has a CheckBox "Remember password".

Q : What is the best way to securely store a user's password? I read that you can encrypt using a machine key ( UPD: rather, this option only works for ASP.NET applications, not for desktop ones ), but I don’t remember where. What is the most acceptable or popular approach? Poke your nose at a good example.

UPD1: There are suspicions that you need to use
-> System.IO.IsolatedStorage Namespace
-> Windows Crypto API

UPD2: The solution is almost found, but there is no full confidence in the correctness of the approach. Going to use System.Security.Cryptography.ProtectedData classA that encapsulates Windows Data Protection API (DPAPI) functionality. Have I chosen the right path?

UPD3: Finally settled on System.Security.Cryptography.ProtectedData . Read more about DPAPI in .NET here and here .

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

soks, 2011-04-20
@soks

The ideal option is to convert the password to a hash code and store the hash in the database.
Particularly popular are SHA-1 MD5 hashes, .Net has built-in functions for generating hashes.
Example: the password "password" is converted to "5b2ff20a6d9ac7899fe8d9e8e35cc922" and entered into the database. During subsequent password validation, the hash of the entered password and the hash from the database are checked.

R

Riateche, 2011-04-21
@Riateche

I can be wrong, but Jabber seems to support hashed password authorization, without transferring the original password. Unless, of course, you are writing a jabber client, not a server.