First of all, don't store passwords anywhere. This would not be an acceptable or safe practice and is not needed for authentication. No one has a right to know original password except the person who created it, not matter how much access to the system one has. One of the most popular way is using
cryptographic hash function. You can calculate hash function before submitting a username/password pair and transmit only the result of the hash function; one the server side, only hashed values are stored; so you always compare hash with hash. Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^].
The nature of hash function algorithm makes inverting of it
infeasible, so it is infeasible to find out an original password. Please see:
http://en.wikipedia.org/wiki/Computational_complexity_theory#Intractability[
^].
It is important not to use MD5 or SHA-1. These algorithms are proven broken and should not be used for any security purposes. Please see:
http://en.wikipedia.org/wiki/MD5[
^],
http://en.wikipedia.org/wiki/SHA-1[
^].
I would recommend to use one of the algorithms of SHA-2 family. Please see:
http://en.wikipedia.org/wiki/SHA-2[
^].
The cryptographic hash function algorithms are well implemented in .NET. Please see:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[
^].
See also my past answer:
Is base64Encode function is best for encode a password string?[
^].
—SA