I am storing user logon encrypted passwords in a database (SQL Server). Because of an API restriction, the passwords need to be encrypted on the C# end of things, so I can't use the database's built-in encryption. what is the fastest/easiest way to encrypt these passwords so I can compare them to what the user would have typed in to a third-party service later?

I am new to C# and I understand that passwords should never be in plain text so that's why I want to make sure I have the highest security. I have tried using the RSA.EncryptValue() function but I'm pretty lost as to how to use it correctly.

Any help is appreciated - thanks in advance.

-Jimmy

You don't want to encrypt and store passwords. You want to generate a hash and store that. Then, when a user is logging in, you regenerate the hash and compare it to the one stored in the database.

The answers to this question provide examples of how one might hash a password in c# (one answer includes information on doing a "salted" hash).

Firstly dont encrypt; hash. Secondly dont encrypt; hash.

A password should never be recoverable.

I'd advise reading... http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html front to back.

You should salt your passwords and hash using a decent hashing algorithm; take SHA512 for the low end, or if your serious about protecting that data look at something more along the lines of BCrypt http://code.google.com/p/bcryptnet/

The point in hashing rather than encrypting isn't to secure your site against brute force attacks, but more importantly, is to secure your users against data loss.

i.e. http://www.bbc.co.uk/news/technology-11998648 - Gawker https://www.google.co.uk/search?sourceid=chrome&ie=UTF-8&q=sony+hacked

People put allot of trust in the hands of web developers taking care of their, often pathetic, passwords. Taking good care of them can make a hell of a lot of difference.

With BCrypt you set a workfactor to the salting; I would also add a database salt (see the troy hunt membership provider article on how MSFT does it) to increase the original password value.

Example from the BCrypt site (BCrypt.net is also a NUGET package)

 // Pass a logRounds parameter to GenerateSalt to explicitly specify the 
 // amount of resources required to check the password. The work factor  
 // increases exponentially, so each increment is twice as much work. If 
 // omitted, a default of 10 is used. 

 string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));

 // Check the password. 
 bool matches = BCrypt.CheckPassword(candidate, hashed);

Hope thats been of use.

You can of course use the built in forms authentication encryption system to encrypt/decrypt your data. Though it's somewhere between daft and dangerous to encrypt passwords.

• http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.encrypt.aspx
• http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.decrypt.aspx

You'd also need to add a machineKey tag to your web config, microsoft provides a generator for this; http://aspnetresources.com/tools/machineKey The tool creates a 256-bit decryption key and a 512-bit validation key, with Rijndael as the data validation algorithm.

And if you DO NEED (as in you'll be shot if you don't) to start throwing plaintext passwords around, for all that is holy, check the service is restricting by IP (IPSec) and please, dear god, use SSL.

Like Steve Wellens mentioned generate a hash. Hope this gives some insight on the different ones available