This tip shows how to store a password hash value and use it for authentication of entered passwords. This is more secure than storing the password itself.

Applications that use login authentication should not store the application password directly, because the app's data may not be secure on the phone or backed up to a server/desktop. We've seen many successful attempts to acquire password lists by SQL injection break-ins, for example.

A better approach is to calculate a hash value for the password using a one-way function, and store this instead. This is compared to the hash values of user entered passwords afterwards in order to grant access to the application. Because it is calculated using a one-way function (that is very simple to calculate but very expensive to revert), even if a hacker can get the hash value they cannot use it to determine the password and access the app.

The ComputeHash function in the System.Security.Cryptography.SHA256Managed class uses a SHA 256-bit algorithm to compute the hash value. The GetHashCode() function below creates a hash of a string using SHA256Managed. It can be used to calculate both the hash value of the entered password to store, and the hash of password values entered by the user for comparison.

public static string GetHashCode(string p)
{
     var a = new SHA256Managed();
     return Convert.ToBase64String(a.ComputeHash(new System.Text.UTF8Encoding().GetBytes(p)));
}