The question already has an
intrinsic mistake — an idea to decrypt password. If you think about it, you will see that
decryption of a password is never needed in authentication.
Nobody should know the password, even a person who can full access the site and the location where authentication data is stored. In fact, a password should
never be stored anywhere. Is it possible? It is possible, but it is not simple — is is
very simple.
There can be different ways to do it, I'll explain the simplest one: you use calculate a
cryptographic hash function of a password and store it. This function cannot be inverted, so there is no decryption in principle. During authentication, the user (why is the only person who knows the original password which is never stored anywhere) types the password, it is immediately passed through a cryptographic hash function, and obtained hash is compared with the stored hash. As simple as that.
Please see
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^].
This article also explains the properties of such functions which make them suitable for security.
Now, it is
very important not to use MD5. This function is found to be "broken" and hence unsafe. Please see
http://en.wikipedia.org/wiki/MD5[
^].
Instead, you can use one of the functions from the "SHA-2" family (stands for
Secure Hash Algorithm). A set of these function is available in .NET. Please see:
http://en.wikipedia.org/wiki/SHA2[
^],
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[
^].
—SA
Submit an article or tip