Pretty much...But when you're dealing with hashes, the thing to remember is that you never actually retrieve the password from the database. You retrieve a "hash" of the password, which you can compare to the hash of the user input to see if they match. For example:
Actual password = "abcdef" UserID = 99 UserName = JohnDoe Salted password = "99abcdef99JohnDoe" (not necessarily a good salt, but it's a sample) Hashed password = "9ahf9a9b9c20e3fb2b14929abe" It is "impossible" to retrieve the real password from the hash in the database. Instead, when the user attempts to log in, you salt the user input the same way you originally salted the password, then hash the salted user input, then compare the hashed salted user input to the value in the database to determine if it's a match. On Nov 14, 11:39 am, "Brandon Betances" <[EMAIL PROTECTED]> wrote: > on that note, append a certain amount of characters to the beginning and end > of the password before you hash it, and remove them when you retrieve the > password. That what you meant Joe? Thats a good idea. > > On Fri, Nov 14, 2008 at 10:46 AM, Joe Enos <[EMAIL PROTECTED]> wrote: > > > Lots of answers regarding full encryption/decryption, just seems like > > overkill for simple password storage. Assuming the password is case- > > sensitive, which it definitely should be, I'm with the > > HashPasswordForStoringInConfigFile crowd - it's simple, fast, and > > doesn't require any public/private or symmetric key maintenance. It > > is also designed so that a password cannot be reverse engineered by > > design, so there's no chance that anyone will ever see your password > > in plain text ever again, without serious effort. > > > The only thing I'd add is that you should salt your password before > > adding it to the database. For example, a simple salt would be the > > primary key appended to the beginning or end of the password, or mixed > > in, or something to that effect, as long as it's reproducible at the > > time of the user's login. > > > On Nov 14, 3:08 am, "karthi keyan" <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > I have just designed a registration fom (Windows application) in C#. I > > am > > > using Ms-access for storing the user information. I need to store the > > > password entered by the user in a encrypted manner. > > > > Can any one help me out / guide me on this? > > > > Regards, > > > Karthikeyan > >
