Four years ago, I was working as a developer in a company that made custom content
management systems. We offered back-ups of the databases to our customers on a monthly
basis, but in those databases we stored all the users’ login information. The customer
was of course happy about getting all the passwords, but I saw that as a severe security
breach.
So, I convinced my boss to let me implement password encryption using a very simple
but powerful tool – one way encryption. One way encryption means that you can encrypt
a value but you cannot decrypt it again, so no one was able to retrieve the actual
passwords.
This is the simple method I used for encryption.
using System.Text;
using System.Security.Cryptography;
/// <summary>
/// Encrypts
a string that cannot be decrypted. It is encrypted one-way in order
/// to
make it impossible to decrypt. The purpose of this mehod could be to hide
/// password
information from potential hackers and even the system administrators.
/// </summary>
/// <param
name="plainMessage">The
string you want to encrypt.</param>
/// <returns>A
MD5 hashed byte array as a base64 string.</returns>
public string Encrypt(string plainMessage)
{
using (MD5CryptoServiceProvider md5Hasher
= new MD5CryptoServiceProvider())
{
byte[] hashedDataBytes = md5Hasher.ComputeHash(Encoding.UTF8.GetBytes(plainMessage));
return Convert.ToBase64String(hashedDataBytes);
}
}
Example of use
The use of this method is pretty simple. The password field in the database contained
the encrypted password and every time a user tried to authenticate I would encrypt
the password and query the database using the encrypted string. This is a dummy method
that does just that.
private bool Login(string password)
{
string encryptedPassword
= Encrypt(password);
// Query database for encrypted password
return CanAuthenticate(encryptedPassword);
}
If I pass my own name to the Encrypt method this would be the result:
Encrypt("Mads Kristensen ") --> “DHi8pBS6u7fWewZBHO9WPw==”.
Now the database was filled with totally unreadable values that effectively shielded
the right passwords.
UPDATE septemper 12
As some of the comments point out, the MD5 algorithm is not secure enough. So, I wrote
a new
Encrypt method using the SHA256 algorithm.
* $4.95/month BlogEngine.net Hosting – Click Here!