Create a password encrypted and store it in sqlite to use in authentication
You will need to take the username and password (the password from a masked text box, preferably with a second box for confirmation) salt it, and create a hash from the password, and then insert the plaintext username and salted hash of the password in to the database. You can then verify the users password in future by comparing the database stored version with a salted (same salt!) hash of what the user enters.
Note that each user should have their own salt which you randomly generate for that user when they create their account. (This is more secure that a global salt value which a hacker could discover).
Take a look at this article. It pretty much covers all the bases, but don't use SHA-1 as recommended in the article. You want a slow hash function that is computationally expensive such as BCrypt, or PBKDF2 (which is included in .NET). See "What makes a good hash function for passwords". (Thanks @CodeInChaos for pointing this out).
You can use Rfc2898DeriveBytes in System.Security.Cryptography to create the salted hash of the password, PBKDF2 style.
byte[] salt = Guid.NewGuid().ToByteArray[];
Rfc2898DeriveBytes saltedHash = new Rfc2898DeriveBytes("P@$$w0rd", salt, 1000);
A good rule of thumb is that the number of iterations should cause the hashing operation to take about a second.
Ostorlabi
Updated on June 05, 2022Comments
-
Ostorlabi about 2 years
I have a WinForms application, with login form, and I want to store the username and password encrypted in a SQLite database. I saw that I can use salt and hash, but I don't know how to encrypt the password in the code, and compare it when we authenticate.
Any help please?
-
Security Hound almost 12 yearsIf you are using encryption to protect a password you are doing it wrong.
-
-
Ostorlabi almost 12 yearsFirst,thank you for your answer, I'm newer in this thread, so i have a form of login (currently, i have one userlogin and psw in the code and i compare with what the user enter), if i want to use what you propose, how should i process?
-
D.Rosado almost 12 years@Ostorlabi I explained the concept behind this in the answer. -
CodesInChaos almost 12 years-1 for using single iteration hashing. Use PBKDF2, bcrypt or scrypt.
-
CodesInChaos almost 12 years-1 because the code in the article is weak. Single iteration SHA1 is simply too fast.
-
idlemind almost 12 years@Ostorlabi I've edited my example to point you at PBKDF2 - included in the .NET framework so more trustworthy than a third party solution.
-
Ostorlabi almost 12 years@Idlemind thank you Idlemind, one more question, now i have to store the username and the saltedHash or the the salt (byte[] salt = saltedHash.Salt;) in the database? and what i must compare?
-
idlemind almost 12 years@Ostorlabi you will store the username, salt and saltedhash in the database. When the user logs in, hash the password they provide with the salt for that user and then compare the result. If the two hashes are equal, the user has provided the correct password.
