1

I have stumbled across the below snippet, which encrypts a user's password. This is what i want to do because I don't want to store the user's password in the database without any encryption.

This is working fine for what I want to achieve, but my question is this: how can I un-encrypt it to make sure the value they have entered in the password box matches?

// Hash the password details of the user!
private static string CreatePasswordHash(string pwd, string salt)
{
  string saltAndPwd = string.Concat(pwd, salt);
  string hashedPwd = 
    FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1");
  hashedPwd = string.Concat(hashedPwd, salt);
  return hashedPwd;
}

I call the above like this 

string password = CreatePasswordHash(TxtPassword.Text, "1579");

The password then becomes something like this: 566DAB495AD0747B49865F9177E430DFAD63CA281579

So how do I un-encrypt that?

Thank you for your time.

Improve this question
6
  • 4
    You don't un-encrypt. You hash the password the user entered, with the same salt, and check if the hash is the identical to what you stored in the db. Commented Apr 28, 2012 at 12:49
  • You cannot (and don't need to) do that. The reason people use hashes is because it is not possible to reverse them Commented Apr 28, 2012 at 12:49
  • Use Rfc2898DeriveBytes for password hashing, and not HashPasswordForStoringInConfigFile Commented Apr 28, 2012 at 12:57
  • @CodeInChaos iv just replace haspasswordforstoringinconfigfile with what you have said but it gives me this error system.web.security.formsauthentication does not contain a definition for Rfc2898DeriveBytes ??? Commented Apr 28, 2012 at 13:14
  • Rfc2898DeriveBytes is a class. Commented Apr 28, 2012 at 13:17

2 Answers 2

Reset to default
8

First off, do not attempt to write your own password storage system. You will get it wrong and build an insecure system. Hire an expert who specializes in this sort of thing, have them write the system, and train you in its correct usage and maintenance.

Second, the whole point of that code is that it is impossible for you to find out the user's password. Their password is none of your business. The point of the salted hash is to build a verification system whereby you do not have to store their password in the first place but you can still verify that they know their password.

To understand how that works, read my four-part series of articles on that subject:

http://blogs.msdn.com/b/ericlippert/archive/tags/salt/

But again do not attempt to do this yourself. Hire an expert with decades of experience in this space if you need to do security work.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

"Hire an expert" --- haha, if only every asker on SO hired a professional instead of doing it themselves - then no one would post questions here
@zerkms: There are plenty of situations in which "learning as you go" is appropriate. Particularly if the cost of making a mistake is relatively small. Building security systems is not one of them.
@zerkms: Use the ASP.NET Membership system and you have hired a whole team of experts. For free. And there is plenty left to ask about how to use it.
@Henk Holterman: a) I'm not OP, so I don't need that b) ASP.NET Membership has nothing magic and doesn't automatically protect from anything to call it silver bullet
5

The point of a hash is that no-one can decrypt it!

When a user attempts a login, you hash the entered password, and then compare the hash with what's in the database. If the hash matches, then the password was correct.

Improve this answer

2 Comments

everybody can decrypt it. The problem is the enormous cost of decryption.
@lukas: bruteforce is not a decryption. Decryption always leads to a known result in a known time.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.