How to encrypt a password for saving it later in a database or text file?

StackOverflow readers don't know how to write secure password schemes and neither do you. If you're going to do that, save time by sticking with plain text. From Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes:

Rainbow tables are easy to beat. For each password, generate a random number (a nonce). Hash the password with the nonce, and store both the hash and the nonce. The server has enough information to verify passwords (the nonce is stored in the clear). But even with a small random value, say, 16 bits, rainbow tables are infeasible: there are now 65,536 "variants" of each hash, and instead of 300 billion rainbow table entries, you need quadrillions. The nonce in this scheme is called a "salt".

Cool, huh? Yeah, and Unix crypt —- almost the lowest common denominator in security systems —- has had this feature since 1976. If this is news to you, you shouldn’t be designing password systems. Use someone else’s good one.

Use BCrypt - Strong Password Hashing for .NET and Mono. It's a single cleanly written .cs file that will continue to meet your needs as password cracking computers get faster.


BCrypt - Strong Password Hashing for .NET and Mono


Triple DES is one way to do it, as long as you mean "A password that my system needs to be able to recall in order to access a resource". If you mean the password is something a user needs to be able to gain access to your system, probably don't want encryption, just a hash will do. When you store the hashed password value, it is useless to anyone with direct database access, but can still be used for authentication. All you do is compare the stored hash against a hash of the incoming password. If they match, then you grant access.

It isn't perfect, by any means, but it is the way 99.999% of people store their passwords.

If you want to argue that you wish to provide the password back to a user if they lose/forget it, then please don't. Issue them with a temporary password (which you store hashed in the db) and get them to change it on first login.


Use Data Protection API either with the user or machine store (e.g. different key per account your program/database server runs under vs. one key per machine). This will help you decode the passwords later and you don't have to remember or store any encryption keys. The downside of it is that when you reinstall the system/delete the account you won't be able to recover the data, I believe.


If you use encryption for securely storing passwords, you'll need to store the encryption "key" somewhere, too. This will be the "weak link", since if someone gets hold of the encryption key, they will be able to decrypt the encrypted passwords.

Since this is passwords that we're talking about here, a much better solution is to use a one-way hash. You hash the password when the user first creates it (preferably hashing with a salt value) and store the resulting hash value. Since hashes are one-way, no one can reverse the hash to the original plain text value.

To check that a users password is correct, you simply ask the user for the plain-text password, hash their input again and compare the resulting hash value with the hash value you have stored (taking salts into account of course). If the two hash values are the same, the user has entered the correct password.

Please see the following links for further info: Hashing Password with Salt

For encryption (if you need to use that), I'd use Rijndael (AES).


Comments

  1. Archer

    • 2021/4/6

    StackOverflow readers don't know how to write secure password schemes and neither do you. If you're going to do that, save time by sticking 

  2. Benson

    • 2019/2/18

    Enjoy Peace of Mind with a Password Strength Checker and Password Manager. The Most Secure Password Manager and Password Strength Checker.

  3. Lefebvre

    • 2017/11/6

    Encrypting/Hashing plain text passwords in database. Not duplicate I'm asking for code specific for .NET. EDIT: I'm saving the password for later use.

  4. Brantley

    • 2021/5/14

    I want my application to save the password encrypted in a database or in a text file. How can I do that assuming that the database or text file can be open by anyone? Duplicate. Encrypting/Hashing plain text passwords in database. Not duplicate I'm asking for code specific for .NET. EDIT: I'm saving the password for later use.

  5. De Santis

    • 2020/3/21

    StackOverflow readers don't know how to write secure password schemes and neither do you. If you're going to do that, save time by sticking with plain text.

  6. Joey

    • 2015/2/17

    On the File tab, click Open . In the Open dialog box, browse to the file that you want to open, and then select the file. Click the arrow next to the Open button, and then click Open Exclusive. The following figure depicts the menu. On the File tab, click Info, and then click Encrypt with Password . The Set Database Password dialog box appears.

  7. Castelli

    • 2019/3/15

    Since the attacker knows his password in plain text/encrypted form, site used to store part of its passwords with sha1, and after the 

  8. Wilder

    • 2016/2/7

    If possible don't store the username and password in the configuration file, ask the user to provide a username and password when they open the application and create a login for the user on the database and only give that user the minimum set of permissions to the db tables that they need for the application to run.

  9. Dupont

    • 2015/4/1

    These algorithms map the input value to encrypted output and for the same input it generates the same output text. Also there is no decryption 

  10. Kingsley

    • 2017/6/25

    password: A secret key that is used to encrypt the actual input which will later be used to decrypt the password. So you need to note down this key for future decryption. So you need to note down

  11. Lachlan

    • 2017/7/26

    We'll cover writing it to a text file a bit later. The following chunk of code creates an encrypted password by using the previously generated 

  12. Santino

    • 2019/11/12

    Storing plain text passwords in the database is a sin. One might also think that if not plain text then we must encrypt the password and then store. It is also a terrible idea. Encryption functions provide one-one mapping between input and output and they are always reversible. If the hacker gets the key, he will be able to decrypt the passwords.

  13. Torres

    • 2016/9/25

    Remember these rules as you proceed: The new encryption feature applies only to databases in the .accdb file format. The tool uses a stronger encryption 

  14. Baylor

    • 2020/9/3

    #### Set and encrypt our own password to file using default ConvertFrom-SecureString method (get-credential).password | ConvertFrom-SecureString | set-content "C:\Vault\Personal\Encrypted.txt" After executing above script, you will get a prompt for the password, then input your credentials that you want to save.

  15. Axton

    • 2020/11/12

    Managing the Secure External Password Store for Password Credentials is still transmitted across the network in clear text in the network trace files.

  16. Logan

    • 2016/10/15

    Enjoy Peace of Mind with a Password Strength Checker and Password Manager. The Most Secure Password Manager and Password Strength Checker.

  17. Flores

    • 2020/5/4

    Using Task Scheduler; Create an Encrypted Password File; Creating a Key File an encrypted password file will be saved to “C:\passwords\password.txt”:.

  18. Alvarez

    • 2016/10/25

    Pick a password for the file and make sure you remember it—if you forget, that file will be lost forever—then upload it to Google Drive. (Sadly, this won't work 

Comments are closed.

Recent Posts