Yesterday, I wrote how to encrypt a password using a one-way MD5 hash, but as some of the comments point out, the MD5 algorithm is not strong enough. I listened and wrote a new encryption method that uses SHA256 instead of MD5.

public string Encrypt(string plainMessage)

{

  byte[] data = Encoding.UTF8.GetBytes(plainMessage);

  using (HashAlgorithm sha = new SHA256Managed())

  {

    byte[] encryptedBytes = sha.TransformFinalBlock(data, 0, data.Length);

    return Convert.ToBase64String(sha.Hash);

  }

}

If I pass my own name to the Encrypt method this would be the result:

Encrypt("Mads Kristensen ") --> “1D3D1917866958C5C0BBA109E20DD5E9B8AAA061AD936472FDE5833F66757D666D616473”.

Four years ago, I was working as a developer in a company that made custom content management systems. We offered back-ups of the databases to our customers on a monthly basis, but in those databases we stored all the users’ login information. The customer was of course happy about getting all the passwords, but I saw that as a severe security breach.

So, I convinced my boss to let me implement password encryption using a very simple but powerful tool – one way encryption. One way encryption means that you can encrypt a value but you cannot decrypt it again, so no one was able to retrieve the actual passwords.

This is the simple method I used for encryption.

using System.Text;

using System.Security.Cryptography;

 

/// <summary>

/// Encrypts a string that cannot be decrypted. It is encrypted one-way in order

/// to make it impossible to decrypt. The purpose of this mehod could be to hide

/// password information from potential hackers and even the system administrators.

/// </summary>

/// <param name="plainMessage">The string you want to encrypt.</param>

/// <returns>A MD5 hashed byte array as a base64 string.</returns>

public string Encrypt(string plainMessage)

{

  using (MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider())

  {

    byte[] hashedDataBytes = md5Hasher.ComputeHash(Encoding.UTF8.GetBytes(plainMessage));

    return Convert.ToBase64String(hashedDataBytes);

  }

}

Example of use

The use of this method is pretty simple. The password field in the database contained the encrypted password and every time a user tried to authenticate I would encrypt the password and query the database using the encrypted string. This is a dummy method that does just that.

private bool Login(string password)

{

  string encryptedPassword = Encrypt(password);

  // Query database for encrypted password

  return CanAuthenticate(encryptedPassword);

}

If I pass my own name to the Encrypt method this would be the result:

Encrypt("Mads Kristensen ") --> “DHi8pBS6u7fWewZBHO9WPw==”.

Now the database was filled with totally unreadable values that effectively shielded the right passwords.

UPDATE septemper 12

As some of the comments point out, the MD5 algorithm is not secure enough. So, I wrote a new Encrypt method using the SHA256 algorithm.