0

How do I compare Encrypted passwords that I inserted in the database from the users Input? and I notice that while I was testing my program, I've created an account where they both have the same password but they have different encryptions, how would I know if the users input is the same as the one in the database? does Encrypto do it that way? or Encrypto has a distinctive way of determining which is which?

and am I using Encrypto right in this code?

var hasher = new Hasher();

hasher.SaltSize = 16;

//Encrypts The password
var encryptedPassword = hasher.Encrypt(txtPass.Text);

Account newUser = new Account();

System.Text.UTF8Encoding encoding=new System.Text.UTF8Encoding();

newUser.accnt_User = txtUser.Text;
newUser.accnt_Position = txtPosition.Text;
newUser.accnt_Pass = new System.Data.Linq.Binary(encoding.GetBytes(encryptedPassword));
KyelJmD
  • 4,682
  • 9
  • 54
  • 77
  • Does it do what you want? I don't see where you indicated what sort of encryption you are using, let alone generate the key and salt to do so, you do understanding encrypting a password is NOT SECURE right? – Security Hound Feb 24 '12 at 19:50
  • I am using this http://encrypto.codeplex.com/ – KyelJmD Feb 24 '12 at 19:52
  • Take a look at http://thecodemechanic.wordpress.com/2011/06/07/introduction-to-strong-cryptography-p1-0-hash-functions-us-patriots/ – Jonathan S. Fisher Feb 24 '12 at 20:02
  • You set the salt size, but how about the value? There should be a unique salt value used for each account so that two users with the same password will have different encrypted values. You need to save the salt for each account, or be able to rederive it, e.g. from the username and other data. – HABO Feb 24 '12 at 20:07
  • @Ramhound: Encrypto uses hashing, not reverable encryption. It is secure. – Mike Goodwin Feb 25 '12 at 08:41
  • @user92546: Encrypto generates a random salt inside the Encrypt method based on the salt length. – Mike Goodwin Feb 25 '12 at 08:42

2 Answers2

2

Two identical passwords can result in different hashes because Encrypto appends a random salt to the end of the password before hashing it.

On codeplex check out the source code for Hasher.cs to see how they do this. They basically use the salt to do the hash and then append the salt to the end of the hash. this is what you store in the DB.

When a user sets their password or a new user registers, you hash the password and store it in the DB

var hasher = new Hasher();
hasher.SaltSize = 16;
var hashedPasswordToStoreInDB = hasher.Encrypt(passwordToSet);

Later on when they log in and enter their password you compare the password that the user types to the previously hashed version retrieved from the DB like this

var hasher = new Hasher();
hasher.SaltSize = 16;
bool areEqual = hasher.CompareStringToHash(enteredPassword, hashFromDatabase);

Again, if you look at the source code (Hasher.CompareStringToHash) you will see that the random salt is recovered from the stored hash and then used to compute a new hash from the entered password.

Mike Goodwin
  • 8,810
  • 2
  • 35
  • 50
  • for example if I do this var encryptedPassword = hasher.Encrypt(passwodfield.Text); will I put the var enryptedPassword in the database? and then if I ever want to log in I'll retrieve it then use bool areEqual = hasher.CompareStringToHash(enterePassword,queryResult) ? – KyelJmD Feb 25 '12 at 02:41
0

I don't know about Encrypto specially, but the general principle is this: you "salt" the password, then encrypt it, and store it to the database. When someone logs in, you redo the same thing : salt, encrypt, and then, compare to the other hash stored in the database.

The reason why two identical passwords may yield different hashes is the salt; you alter the password before encrypting it, so that looking at the hashes only makes it harder to figure your hashing mechanism. The salt can be always the same (poor security), function of the username, or function of another random string that you store along with the encrypted password in the database.

Again, I don't know Encrypto, but just use the same logic you used to generate the hash in the database when you want to compare with user input password.

Spiky
  • 509
  • 4
  • 11