Can u elaborate on the hash value part u said ???? should i write query for each n every username , so tht password is in hash value format .
Well its not that hard.
You create a "salt" value that is used to randomize the hash values you'll create for each person. You'll need to use System.Security.Cryptography to create the salt and then later System.Web.Security to create the hash.
My examples are going to be written in VB but I'm sure they can easily be converted into C#. Also please note that there might be newer methods available to do this because I wrote this a few years ago.
Anyways, to create the salt:
-
Private Function CreateSalt(ByVal numBytes As Integer) As String
-
Dim rng As New RNGCryptoServiceProvider
-
Dim buff() As Byte = New Byte(numBytes){}
-
rng.GetBytes(buff)
-
Return Convert.ToBase64String(buff)
-
End Function
-
Now that you have the salt you can create a Hash of the password.
You take the user's password and salt value and use the FormsAuthentication to create a Hash value from these two values.
You can place your salt value at any spot in the password to make it harder to crack. Now, if someone does get a hold of your database they'll have a bunch of hash values and salt values but wont have any passwords.
Even if they have obtained these values and start trying to recreate the hash values you have stored, they don't know where the salt has been added to the password. It'll make it even harder for them to get the password.
Also, since the salt value is random no two hash values will be the same. This means that if two people have the password "password", their hash values will be different so glancing at the hash values stored in your database wont reveal anything.
Please note that you cannot "unhash" a password. Its a one way thing. You can hash something but cannot derive the password from the hash.
To create the hash you use a function that Microsoft was kind enough to provide to us:
-
Public Function CreatePasswordHash(ByVal password As String, ByVal salt as String) As String
-
Return FormsAuthenticiation.HashPasswordForStoringInConfigFile(password & salt, "SHA1")
-
End Function
-
This example will create a hash for you (for storing) using SHA1 encryption.
You store the Hash and the Salt values into the database.
Now when your user comes back to the page you do a query on their userName and retrieve their Hash and Salt values from the database. Then you recreate the hash value by taking the password they supplied and passing it to the same encryption method as you used to originally create the password Hash. You compare the newly created hash value to the one you retrieved from the database to determine if their credentials are correct.
Hope this helps!
-Frinny