I have WCF service that being used by clients, and the following is my current implementation for user authentication, I want a recommendation to enhance it or better mechanism.
-
I am using RSACryptoServiceProvider
class (RSA implementation) to save encrypted user passwords into database -
The client should encrypt password every log-in using public key (stored in file) and send it to logging method with user name
-
On the server side the log-in method
select the encrypted password for the
supplied user name and compare decrypted passwords (sent by user and db one) using private keyNote: every time you encrypt the
string using RSA with the same public
key a new encrypted bytes generated,
so I can not compare encrypted
passwords and I have to decrypt them to compare
P.S
The answers say "For authentication purposes you should avoid storing the passwords using reversible encryption"
I am asking if no one can decrypt the password except if he has the private key, so what is the problem, even the hashing is not reversible but it is broken!!
Best Answer
It's not common practice to store passwords encrypted instead of hashed. Do you have any particular reason to do so?
If no, I would suggest to store the passwords hashed (SHA-2 or something like that) with a salt.