Create a password encrypted and store it in sqlite to use in authentication

Ostorlabi picture Ostorlabi · Jun 28, 2012 · Viewed 9.6k times · Source

I have a WinForms application, with login form, and I want to store the username and password encrypted in a SQLite database. I saw that I can use salt and hash, but I don't know how to encrypt the password in the code, and compare it when we authenticate.

Any help please?

Answer

idlemind picture idlemind · Jun 28, 2012

You will need to take the username and password (the password from a masked text box, preferably with a second box for confirmation) salt it, and create a hash from the password, and then insert the plaintext username and salted hash of the password in to the database. You can then verify the users password in future by comparing the database stored version with a salted (same salt!) hash of what the user enters.

Note that each user should have their own salt which you randomly generate for that user when they create their account. (This is more secure that a global salt value which a hacker could discover).

Take a look at this article. It pretty much covers all the bases, but don't use SHA-1 as recommended in the article. You want a slow hash function that is computationally expensive such as BCrypt, or PBKDF2 (which is included in .NET). See "What makes a good hash function for passwords". (Thanks @CodeInChaos for pointing this out).

You can use Rfc2898DeriveBytes in System.Security.Cryptography to create the salted hash of the password, PBKDF2 style.

byte[] salt = Guid.NewGuid().ToByteArray[];
Rfc2898DeriveBytes saltedHash = new Rfc2898DeriveBytes("P@$$w0rd", salt, 1000);

A good rule of thumb is that the number of iterations should cause the hashing operation to take about a second.