Password encryption

Question

I am creating a login screen for an application in C#. In my login screen I am reading the username and password from the database and checking whether the entered username

Answer 1

Along with given advices, there are other methods to protect passwords:

1. One-Time Password: In spite of implementing salted hash, passwords are still stored on hard disk and are prone to be cracked. So a better approach is required here. In contrast with static passwords, one-time passwords are changed each time a user logs on to the system and usually users should carry a small hardware used for synchronizing with server. Mainly there are two types of OTP: (Visit Safer Authentication with a One-Time Password)

   • Time-Synchronized
   • Counter-Synchronized

2. Using BCrypt which uses a variant of the Blowfish encryption algorithm's keying schedule and contains a work factor, which lets you determine how expensive the hash function will be. In order to get familiar with bCrypt, visit: http://codahale.com/how-to-safely-store-a-password/

In C#, you can use BCrypt.Net library which is a port of iBCrypt library: read the following article to understand how to get this library up and running in Visual Studio.Net:

Using BCrypt in a .NET Application – Why it’s better than SHA or MD5.

Of course, there are a lot of discussions about this algorithm in SO, search and study more about this.