How to protect your data using a one way hash
For sensitive data, such as passwords, just using encryption on the data isn't enough as it could still be decrypted if someone gets a hold of your private key. For certain types of data where you do not need to know the original value explicitly you can apply a one way hash algorithm to the data before storing it. A one way hash is literally a one way process, it cannot be reversed to find out the original value. Hashing is idle for password storage since your system should never really need to know a users password inferring that when you store it with their credentials you should not use encryption which allows the possibility of determining the original value.
At this point you might be wondering - well then during log in how can you validate the password a user enters if you don't know the password in you system? The answer is easy, you hash the value they enter and compare the hash result to your stored hash of the password. Due to how hashing works if they entered the same value the hash of it will have the same result each time. So if the hashes match then they must have entered the right password. And don't worry, you can't get the same hash for a different value so there isn't a chance of them entering some random value and still matching. Another thing a lot of systems do is also add what is called a 'salt' to the end of the value the user enters and hash the password + salt. The salt is a random set of characters that you would store with each user information and just adds more variation to the hash results. For more information on how hash algorithms work you'll need to browse the web as I will not be covering those details here.
Hashing is pretty straight forward in .NET 2005 (and 2003 for that matter). Below is a sample method to produce a hashed value as a string for the supplied string parameter. (i.e. pass in the string of the user's entered password and get back the hash value that you can store in your system).
/// <summary>
/// Creates an MD5 hash of the data string provided and returns the hashed value as a base64 encoded string.
/// </summary>
/// <param name="data">Data to be hashed.</param>
/// <returns>The hash value as a base64 encoded string.</returns>
public static string CreateHash(string data) {
byte[] dataToHash = (new UnicodeEncoding()).GetBytes(data);
MD5 md5 = new MD5CryptoServiceProvider();
byte[] hashedData = md5.ComputeHash(dataToHash);
//Fill the previous data that was hashed with random bytes so it is not sitting in memory waiting garbage cleanup
//with confidential data.
RNGCryptoServiceProvider.Create().GetBytes(dataToHash);
string s = Convert.ToBase64String(hashedData, Base64FormattingOptions.None);
return s;
}
This method does not add a salt to the end of the data string supplied, it is assumed the salt is already added to the string prior to calling the hashing method.