Four years ago, I was working as a developer in a company that made custom content management systems. We offered back-ups of the databases to our customers on a monthly basis, but in those databases we stored all the users’ login information. The customer was of course happy about getting all the passwords, but I saw that as a severe security breach.

So, I convinced my boss to let me implement password encryption using a very simple but powerful tool – one way encryption. One way encryption means that you can encrypt a value but you cannot decrypt it again, so no one was able to retrieve the actual passwords.

This is the simple method I used for encryption.

using System.Text;

using System.Security.Cryptography;

 

/// <summary>

/// Encrypts a string that cannot be decrypted. It is encrypted one-way in order

/// to make it impossible to decrypt. The purpose of this mehod could be to hide

/// password information from potential hackers and even the system administrators.

/// </summary>

/// <param name="plainMessage">The string you want to encrypt.</param>

/// <returns>A MD5 hashed byte array as a base64 string.</returns>

public string Encrypt(string plainMessage)

{

  using (MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider())

  {

    byte[] hashedDataBytes = md5Hasher.ComputeHash(Encoding.UTF8.GetBytes(plainMessage));

    return Convert.ToBase64String(hashedDataBytes);

  }

}

Example of use

The use of this method is pretty simple. The password field in the database contained the encrypted password and every time a user tried to authenticate I would encrypt the password and query the database using the encrypted string. This is a dummy method that does just that.

private bool Login(string password)

{

  string encryptedPassword = Encrypt(password);

  // Query database for encrypted password

  return CanAuthenticate(encryptedPassword);

}

If I pass my own name to the Encrypt method this would be the result:

Encrypt("Mads Kristensen ") --> “DHi8pBS6u7fWewZBHO9WPw==”.

Now the database was filled with totally unreadable values that effectively shielded the right passwords.

UPDATE septemper 12

As some of the comments point out, the MD5 algorithm is not secure enough. So, I wrote a new Encrypt method using the SHA256 algorithm.

I’ve just finished a small application that does some IO work on files and directories. The application moves directories to new locations, but every time a folder or file was marked read-only it would of course throw an exception. The same happened with system files and folders. The obvious solution would be to add a try/catch block to the method, but I wanted something better.

I came up with a method that checks a file or directory’s access, so that I wouldn’t try to delete a read-only, hidden system file or any combination of that.

/// <summary>

/// Checks if a directory or file is system-, hidden- or readonly.

/// </summary>

private static bool IsAttributesAllowed(FileAttributes attributes)

{

  if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)

    return false;

 

  if ((attributes & FileAttributes.System) == FileAttributes.System)

    return false;

 

  if ((attributes & FileAttributes.ReadOnly) == FileAttributes.ReadOnly)

    return false;

 

  return true;

}

That method allows me to write the following code:

>

FileInfo file = new FileInfo(filename);

if (IsAttributesAllowed(file.Attributes))

{

  DoSomething();

}

Or with directories:

>

DirectoryInfo dir = new DirectoryInfo(foldername);

if (IsAttributesAllowed(dir.Attributes))

{

  DoSomething();

}

The application hasn’t thrown any exceptions using this method, but it is always a good idea to be safe when dealing with IO.

>