0

I have a method that is used to encrypt the password and store it to database as below : 

public static string Md5Encrypted(string password)
        {
            byte[] pass = Encoding.UTF8.GetBytes(password);
            MD5 md5 = new MD5CryptoServiceProvider();
            string strPassword = Encoding.UTF8.GetString(md5.ComputeHash(pass));
            return strPassword;
        }

Now I want the method that decrypt the password that I get from database which was encrypted by above method while storing it. I don't know how to make it. Anybody can help me please?

Improve this question
6
  • 2
    You're not encrypting anything with MD5. You're generating a hash which is irreversible. You should compare the passwords by generating the hash for the given password and compare it to the hash that is stored. Commented Feb 13, 2013 at 9:59
  • The only way to reverse this is guessing the right password. This isn't a good password hash btw for two reasons: 1) No salt 2) MD5 is fast. You should use PBKDF2, bcrypt or scrypt instead. Commented Feb 13, 2013 at 10:01
  • @RanhiruCooray No, I don't have. When I compare the new encrypted password with old one i.e. already stored in database with encryption, it is not returning true if passwords are matched. the ? are changed to a rectangle around ? Commented Feb 13, 2013 at 10:06
  • 1
    By the way, you typically wouldn't want to convert the hash bytes to an UTF-8 string directly. If you want a string representation, stick to e.g. base 64 (Convert.ToBase64String). That's probably why you're getting the "rectangles" and the comparison fails. Commented Feb 13, 2013 at 10:09
  • 1
    Furthermore I would use a salting-method to make the passwords more secure. Without that it'll be easy to get the passwords. Commented Feb 13, 2013 at 10:16

3 Answers 3

Reset to default
3

MD5 is a hash function (not an encryption) and is irreversible. That is, you can't compute the original value from a given hash.

Update: I recommend this article that describes how to store password hashes securely. There's a C# implementation as well.

http://crackstation.net/hashing-security.htm

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

But you can often revert it by guessing many candidate passwords, which works pretty well in practice.
So when I compare the new encrypted password with old one, it is not returning true if passwords are matched. the ? are changed to a rectangle around question marks
Technically, you're not reversing the hashing but causing a collision. In the end it's the same for most practical purposes, of course. That's why you'd store salted hashes and use things like PBKDF2.
@AndreLoker thanks, but I can not change all the user's passwords. I want to compare the new password with old one.. How can I achieve it?
By comparing the hashes. You generate the hash of the old password and generate the hash of the new password. Then you simply compare the Base64Strings (hashes) with == or the Equals-method.
|
0

MD5 hash function is irreversible and cannot be decrypted,If you want to check the Username and password during login then do this..

1.While registering a new user, Hash the password and store it in database.

2.During login,Hash the password entered by the user 

3.Now,Compare the password entered(Hashed ) with password stored in database(Hashed)

4.If both of them are same then allow user to login else display an error
Improve this answer

4 Comments

Please stop calling it "encryption".
Hashing. You're creating a hash of the password.
No offense, it's easy to get terms mixed up.
@coder man, don't I have that much sense..? Try it yourself, the encoded passwords does not matches from the password you get from the database.
0

You can't decrypt this, because hashing is a one-way function - you can't take a hashed value and turn it back into the original value.

Since it looks like you're dealing with passwords and I therefore assume this is some kind of logon mechanism, this is (probably) OK. What you need to do is hash the password (as you've done), and store the hashed value when your user registers on your website. When the user returns to your site, you take the password they enter, hash it (using the same method), and compare the hashed value with the value you stored. If the two hashes match, the correct password was entered.

Salts
There's a problem with hashes, in that the same input value always produces the same hashed value (otherwise the above mechanism for logon wouldn't work). Unfortunately this means that generating hash values for, say, a dictionary of common passwords is a trivial exercise. If your database is compromised, an attacker can then compare all the hashed passwords you've got stored against his previously computed values, and if he gets a match then Bazinga! he's got into your data.
To defend against this, what you can do when you do your initial hashing is at the same time generate an extra bit of random data that gets mixed in with the password as it's being hashed. This is called a salt (or less commonly a nonce). Rather than reproducing some code to do this, at this point I'm going to direct you to blowdart's book Beginning ASP.NET Security (Amazon UK | Amazon US), which has discussion of all this stuff - hashing, salting and 'proper' encryption.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.