Erik Porter's Blog

Life and Development at Microsoft and Other Technology Discussions


    Secure Passwords

    Well done article, IMO, on securing passwords in a database table.  We've been doing this in all of our applications for a while now and it works great.


    Jason Mauss said:

    I emailed him asking how you would retrieve the password for a user that forgot their password (so it could be emailed to them or something). It was not mentioned how to do this using the security method. I assume it's doable by using the hash value or something?
    # February 18, 2004 11:50 PM

    HumanCompiler said:

    I'm pretty sure it's NOT possible. That's what makes it so secure. Just have them change their password instead of e-mailing it to them or autogenerating a new one and e-mailing it to them. That's what we do...seems more secure.
    # February 18, 2004 11:52 PM

    Darrell said:

    Both SHA1 and MD5 are one-way hashes. You have to reset the password to a known value and have the user change the password on next login.

    Alternatively you can have a password hint that you show the user to help them remember the original password.
    # February 19, 2004 12:20 AM

    Michael Giagnocavo said:

    I don't know why they don't use PasswordDeriveBytes. Also, the article doesn't mention iterations, which are key for increasing the strength against brute force for passwords. A P4 can calculate about 1 million hashes a second, which means a dictionary attack against a hash takes hardly any time.
    # March 18, 2004 8:21 PM