How can I encrypt userid and password from user?

I want to save userid and password in a MySql database for my WinForms 开发者_JAVA技巧project. One of my friends told me that this is not secure; I should encrypt and save that. I don't know about encryption.

How can I do this?

Usually passwords are not stored in database at all. Instead hash of the password is stored. You can take a look at SHA156 class for example.

There are plenty articles in the web on how to hash passwords.
For example Storing Passwords - done right!

Note that your friend is telling you to encrypt it, which is different from storing a hash (computed using a cryptographic hash function) in the table.

If you encrypt and store it, you will be able to retrieve the password if you have the key.

If you store a secure hash of a password, you can tell if a string is the same as the password or not by hashing the string and comparing the hash in the table.

I did a search and found this answer from another SO question which explains in greater detail why you should be using a hash (of a secure variety) as opposed to encrypting the password.

Last but not least, whether encrypting or secure hashing, be sure to use a publicly tested libraries and not to "roll your own".

When using encypion one needs to choose an algorithum (method of encryption) for the data. When storing user credentials one generally creates and stores a hash of the information rather than encrypting it. The advantage of using a hash over encryption is that a hash is non-reversible, so the original data can not be recovered.

The process for creating a hash is:

1. Create a salt value (explained below)
2. Append the salt value to the password
3. Hash this string
4. Store the salt value and the hash value in the database

Then when you want to validate the credentials later:

1. Take the password value entered by the user and append the salt to it
2. Hash the string from step 1
3. Compare it with the password stored in the database. If the stored hash and the hash from step 2 match, the user has entered the correct password, otherwise the password is incorrect

Hashes and Salts

A salt value is a value unique to each user that gets appended to sensitive values such as user names and passwords before they are stored. The reason salts are used with hashes is to make it more difficult to generate lists of hashed values used in brute force attacks against the database.

Code Samples

Generating a Salt & Hash

private void EncryptPassword(string userPassword)
    {
        //Performs hashing using SHA256 algorithum
        SHA256Managed hash = new SHA256Managed();
        RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();
        byte[] saltBytes = new byte[32]; // 32 bytes = 256-bit salt.
        //Fill saltBytes with cryptographically strong random values.
        random.GetBytes(saltBytes);
        //Get a byte representation of the password because the hash function 
       //works with byte arrays.
        byte[] passwordBytes = Encoding.UTF8.GetBytes(userPassword);
        byte[] hashInput = new byte[passwordBytes.Length + saltBytes.Length];
        //Append the contents of the passwordBytes and hashBytes arrays to create 
        //the input to the hash function (value to be hashed)
        passwordBytes.CopyTo(hashInput, 0);
        saltBytes.CopyTo(hashInput, passwordBytes.Length);
        //Compute (generate) a hashed representation of the input value.
        byte[] hashValue = hash.ComputeHash(hashInput);
        //Hashes are often stored as strings in databases. 
       //Hashes should be stored using Base64 encoding.
        string hashString = Convert.ToBase64String(hashValue);
        string saltString = Convert.ToBase64String(saltBytes);
        //store hashString and saltString in database.

    }

Authenticating a User

private bool AuthenticateUser(string userName, string password)
    {
        SHA256 hash = new SHA256Managed();
        //Convert hash and salts from Base64/
        byte[] storedHash = Convert.FromBase64String("Hash Value from the database");
        byte[] storedSalt = Convert.FromBase64String("Salt from Database");
        //Append salt to user password and hash the result
        byte[] attemptedPasswordBytes = Encoding.UTF8.GetBytes(password);
        byte[] hashInput = new byte[attemptedPasswordBytes.Length + storedSalt.Length];
        attemptedPasswordBytes.CopyTo(hashInput, 0);
        storedSalt.CopyTo(hashInput, attemptedPasswordBytes.Length);
        byte[] attemptedHash = hash.ComputeHash(hashInput);
       //Check whether the password entered by the user matches the stored hash. 
       return attemptedHash == storedHash;
    }

well a very simple solution is to use varbinary datatype which will store password in binary format and unreadable for other ..

If you want more security then you need to use encrytion provided my sql server itself like 128bit encryption for that u need to create asyymetric key then encrypt it with that

You could encrypt the username and password using fronthand that is C# and store that value in the database. On retrieval you have to decrypt it for matching. Have a look at this link.