C# Encrypted Password

Question

I have a password field for a user, that when it is saved to a database, the password is encrypted.

Also, if i go to edit a user, the password field is hashed.

But the hashed field is hundreds of characters long, due to the length of the encryption.

Is there any way of showing maybe just 8 characters instead?

this is what is displayed after saving, which isn't ideal.

Answer 1

Can't you make a separate option to change password and in the edit user password field show something like ********* . And if during user editing you enter something new into a password field, then go again thru encryption.

Answer 2

There are several things that are worrying me here, one of which is that, as RB notes in the comments, you're using the terms Encryption and Hashing interchangeably. The difference is pretty important. In simple terms,

• Encryption is when you obscure something in a way that can be reversed. An example (a bad example mind you) is substituting the letter A with the number 1, the letter B with the number 2 and so on. "Hello" would become "7 5 12 12 15", which would look meaningless to somebody without the key, but is reversible if you know how.
• Hashing is a one way mathematical function, which takes an input and turns it into a unique piece of seemingly meaningless output. In simple terms, you can pretty much assume that every unique piece of information that goes into a hash will come out as a unique value. But, given that unique output, there is no way to reverse it and discover what the input was.

To expand further on the above, if I was creating a website where a user was asked to sign up, I would take the password that they chose, I would then hash that password and then store that password somewhere safe. I would then throw away the password the user actually entered. Next time that user came to my site, they would enter their password, which I would again hash, I would then check that hash output against what I had saved earlier, and since the same word will always produce the same output, if the two hashes matched I would grant access to my site.

I would also urge you to find out about salting passwords (more on which can be found at Wikipedia) which is pretty much a must-have these days.

Now, on to your actual question. Again (and I hope RB doesn't mind me expanding upon his excellent comments) what you are seeing in your password fields (the * ** ) is just a way for the browser to obscure your password from prying eyes. The fact that it looks like stars does not make it safe. Further, you should only ever read from this input field. You should never write to it. Writing anything to your password field lets an attacker know information about what kind of hash or security that you are using.

The best thing you could do would be to leave the password field on your user edit screen blank. If MVC is autopopulating that for you then it suggests to me that you should change the name of the input box to something that doesn't tie in with your underlying object. More about security in MVC can be found on Microsoft's asp.net website .