wpcoder wpcoder - 1 year ago 76
Vb.net Question

What is the latest in password hash algorithm/data encryption for mysql?

Having me know little about cryptography, I am trying to find the best approach to hash a user password in some

vb.net winform
application; then store it in online
mysql
db.
I found lots of posts about the topic but can't figure out which one is the best approach.

I reach this MSDN post but still can't be sure if I can use it.

I can't where to enter some random key, it is generated automatically by the function.

So my question is , is this a solid function for password hash?
Any alternatives?

Thank you

The code:



Imports System
Imports System.IO
Imports System.Security.Cryptography



Class AesExample

Public Shared Sub Main()
Try

Dim original As String = "Here is some data to encrypt!"

' Create a new instance of the Aes
' class. This generates a new key and initialization
' vector (IV).
Using myAes As Aes = Aes.Create()

' Encrypt the string to an array of bytes.
Dim encrypted As Byte() = EncryptStringToBytes_Aes(original, myAes.Key, myAes.IV)

' Decrypt the bytes to a string.
Dim roundtrip As String = DecryptStringFromBytes_Aes(encrypted, myAes.Key, myAes.IV)

'Display the original data and the decrypted data.
Console.WriteLine("Original: {0}", original)
Console.WriteLine("Round Trip: {0}", roundtrip)
End Using
Catch e As Exception
Console.WriteLine("Error: {0}", e.Message)
End Try

End Sub 'Main

Shared Function EncryptStringToBytes_Aes(ByVal plainText As String, ByVal Key() As Byte, ByVal IV() As Byte) As Byte()
' Check arguments.
If plainText Is Nothing OrElse plainText.Length

Answer Source

Do not encrypt passwords, when the attacker gets the DB he will also get the encryption key. Just using a hash function is not sufficient and just adding a salt does little to improve the security. Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as ehash, PBKDF2, Bcrypt, passlib.hash or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.

NIST currently recommends PBKDF2 for a password verifier.

See:

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download