Is base64Encode function is best for encode a password string?

Question

3.00/5 (1 vote)

See more:

Hi all,

I want to save userid and password in mysql database for my winform project.

One of my friends has told me that it is not secure, so you encrypt and save that.
I don't know about encryption, so I googled and got base64Encode and decode function and I use that in my project.

It changes the normal string in a unfindable string.

normal string - JAGA
Encode string - SkFHQQ==

Is it enough for production?
What else can I do?.

thanks in advance!@

Posted 2-Jun-11 19:14pm

Sagotharan Jagadeeswaran

Updated 2-Jun-11 21:16pm

Dalek Dave

v3

Add a Solution

Comments

Dalek Dave 3-Jun-11 3:17am

Edited for Grammar, Syntax and Readability.

4 solutions

Solution 2

DES Encryption is more secure than base64 encoding.
It will be better to use DES encryption.

Posted 2-Jun-11 19:37pm

prem shanker verma

Comments

CPallini 3-Jun-11 3:16am

Actually base64 is not encryption at all (see other answers).

Sergey Alexandrovich Kryukov 3-Jun-11 4:04am

You are absolutely right.
--SA

yesotaso 3-Jun-11 5:39am

Yes you are correct, Yes he wrote "DES Encryption is more secure than base64 encoding" also correct I presume...

Solution 4

Definitely not.

Use a good encryption standard in Security.Cryptography.

Actually, it depends on why you want to encrypt data.

If it is just some personal document, you could use DES.

If it is for highly confidential data, you could use AES.

Posted 3-Jun-11 1:27am

Anshul R

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2011-06-02T19:42:00

If is absolutely useless for encoding a password. What's cryptic about it? This code is designed to send binary data in text data, such as e-mail messages or HTTP. Everyone can decode it to original password. This is nearly the same as storing unprotected passwords in their original form, which is absolutely not acceptable.

For encryption methods, see the name space System.Security.Cryptography, http://msdn.microsoft.com/en-us/library/system.security.cryptography.aspx[^].
For introduction, read this: http://msdn.microsoft.com/en-us/library/92f9ye3s.aspx[^].

You can use two approaches for password: "real" cryptography, for example, public-key cryptography (http://en.wikipedia.org/wiki/Public-key_cryptography[^]) or cryptographic hash function (http://en.wikipedia.org/wiki/Cryptographic_hash_function[^]).

The approach with cryptographic hash function is the simplest one. You apply the function to the password and store it in the hashed form. It is impossible to revert the hash and obtain password. Nobody need its, ever. When your software gets a password, it performs the same hash function and compare the result with the stored hash. The original password is never used, which adds to security of this method. For the cryptographic hash function, use one of the "SHA" classes System.Security.Cryptography: SHA512, SHA256, etc.

For explanation of "SHA" class of algorithms, see http://en.wikipedia.org/wiki/SHA2[^].

Warning! Never use MD5 (http://en.wikipedia.org/wiki/MD5[^]) for any security purposes! This function is considered "broken", so using it is unsafe.

[EDIT]
Pay attention for the important note below (thank you, Kim). Using unique free parameter for hash function per user also removes the risk of learning the password by the user who accidentally uses identical password. The parameters can be stored along with cashed passwords. Even if the access to the password file is broken and someone reads the hashed passwords with hash function parameters, it cannot help to revert the hash function to get an original password. To understand it, please read the Wikipedia article on cryptographic hash function I referenced above.

—SA

Kim Togo · Accepted Answer · 2011-06-02T19:32:00

Solution 1

No, base64 encoding has nothing to do with encryption.

Check this great tip out Password Storage: How to do it.[^]

Do not encrypt the password, you Hash the password with ~~MD5 or~~ SHA method. This way nobody can recorver the password, you generate a new one.

MySql has a built-in password function. Check out PASSWORD()[^] function on MySql web site.

When generating hash value. Do not use the same parameter for generating hash value or else if two user has the same password, the hash value will also be the same.

Posted 2-Jun-11 19:32pm

Kim Togo

Updated 2-Jun-11 20:46pm

v4

Comments

Sergey Alexandrovich Kryukov 3-Jun-11 1:44am

Correct. My 4. (Not 5 for recommending MD5. Did you know it's considered unsafe?!) Also, encryption schemes can be used for stronger protection.
Please see my solution.
--SA

Kim Togo 3-Jun-11 2:43am

Thanks SA for point out about MD5. :-)

CPallini 3-Jun-11 3:17am

My 5.

Kim Togo 4-Jun-11 1:51am

Thanks CPallini

Is base64Encode function is best for encode a password string?

4 solutions

Solution 3

Solution 1

Solution 2

Solution 4

Add your solution here

Preview 0

Existing Members

...or Join us