How to encrypt Sql server passwords?

Posted on 2012-08-23
Last Modified: 2012-08-25
How can I encrypt and decrypt my plain text passwords in a sql server table? Currently they are in plain text so anyone can retreive them.

Question by:Ricky66
    LVL 1

    Accepted Solution

    There are methods available to do this, but you only encrypt something is you want to decrypt it later.

    Another option is to Hash the password and store the result in the table.

    Next time a user logs in, you hash the password they logged in with and then compare that hash to the one stored in the database. If they're the same, the password was entered correctly.

    Hash values cannot typically be reverse engineered.

    Google 'Hash passwords' for the environment you are working in.
    LVL 9

    Expert Comment

    LVL 23

    Assisted Solution

    Here is a static class I created to encrypt/decrypt strings. I stored the password and salt in the solution's resources. So you need to either set up a string1 and string2 in the resources or change Properties.Resources.string1 and Properties.Resources.string1 in the GetKey function to something else.


    using System;
    using System.IO;
    using System.Security.Cryptography;
    using System.Text;
    namespace Bus_Status.Model.Static_Classes {
       static class vault {
          #region Public Methods
          public static string Encrypt(string plainText) {
             RijndaelManaged key = GetKey();
             byte[] plainTextBytes = Encoding.UTF8.GetBytes(plainText);
             using (ICryptoTransform encryptor = key.CreateEncryptor()) {
                using (MemoryStream memoryStream = new MemoryStream()) {
                   using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write)) {
                      cryptoStream.Write(plainTextBytes, 0, plainText.Length);
                      return Convert.ToBase64String(memoryStream.ToArray());
          public static string Decrypt(string encryptedString) {
             RijndaelManaged key = GetKey();
             byte[] encryptedData = Convert.FromBase64String(encryptedString);
             using (ICryptoTransform decryptor = key.CreateDecryptor(key.Key, key.IV)) {
                using (MemoryStream memoryStream = new MemoryStream(encryptedData)) {
                   using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read)) {
                      byte[] plainText = new byte[encryptedData.Length];
                      int decryptedCount = cryptoStream.Read(plainText, 0, plainText.Length);
                      return Encoding.UTF8.GetString(plainText, 0, decryptedCount);
          #region Private Methods
          //Create encryption key
          private static RijndaelManaged GetKey() {
             RijndaelManaged key = new RijndaelManaged();
             byte[] passwordBytes = Encoding.UTF8.GetBytes(Properties.Resources.string1);
             byte[] saltBytes = Encoding.UTF8.GetBytes(Properties.Resources.string2);
             PasswordDeriveBytes p = new PasswordDeriveBytes(passwordBytes, saltBytes);
             key.IV = p.GetBytes(key.BlockSize / 8);
             key.Key = p.GetBytes(key.KeySize / 8);
             return key;

    Open in new window

    LVL 14

    Assisted Solution

    Do not use an encryption method for storing passwords in you're database.  Use a hashing algorithm on the plain text in conjunction with a salt.

    Also do not use MD5 or SHA as these are general purpose and "relatively" easily broken, instead use something like BCrypt:

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
    Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
    Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
    Via a live example, show how to shrink a transaction log file down to a reasonable size.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now