Hai guys,
I came to know that storing hash value of a password is a safe one from Preferred Method of Storing Passwords In Database...
How to salt and hash a password value using c#?
How to compare both the values stored in DB and the one given by the user?
Strictly speaking, you should salt the password then hash it, to avoid a dictionary attack. You can use any of the implementations of the
HashAlgorithm
abstract class in theSystem.Cryptography
namespace to calculate the hash - current best choice would probably be one of the SHA-2 algorithms.You store the hash not the password, and compare the hash values to authenticate the user.
The most popular way to do this is using a hashing algorithm. There's an excellent
blog post hereabout how to use the MD5 algorithm to hash a string, but there are many other examples in theSystem.Cryptography
namespace.As for #2, the general step-by-step guide to how this would work would be the following:
On registration:
On login / user & password check:
It's all relatively long-winded, but it's very secure.
There's another extremely in-depth guide on hashing and salting here.
For hashing you have several supported algorithms in System.Security.Cryptography, for your usecase you probably want to choose an SHA based hash or something similar.
Regarding the comparison: You don't compare the DB value and the one the user gave to you. You use the same encryption/hashing function that you used to store the password in the DB in the first place, this time with the user input. If the result is equal to the hash in the DB the password was (probably) correct.
The intention is that no one that has access to the DB can retrieve the passwords in clear text and not even your program needs to know about it (only the part that accepts the user input will have it for a short time).
Links (maybe even duplicates):
Like the others have said, there are many options.
Here is some sample code (using MD5 instead of SHA) from Microsoft that might help get you get started
System.Security.Cryptography.MD5
Simple hash: