Normally, the user id is held in a database table, and the password is hashed and also stored: so you are never storing the password in clear. Frequently, the password is combined with the username before it is hashed to prevent two users with the same password from generating the same hash.
Because hashing is not encryption - encryption can be reversed, hashing can't - the password is never stored in a readable format, so database intrusion cannot reveal any passwords. When you check a user login, you regenerate the hash from the information he supplied, and check that against the database stored value. If it matches, log him in!
Often the hash is MD5, but that is not recommended for new designs, and MD5 is officialy "broken" - it is possible in some cases to generate a type-able password from teh hash value - and it is recommended to use SHA instead. .NET supports MD5 and SHA as part of the
System.Cryptography[
^] namespace.
The
SHA256 Class[
^] includes a small example of how to hash information.