When does salting passwords become too secure? I have a couple of functions that Encrypt and Decrypt as users passwords, but I am concerned if it might be overkill.
First I have my encryption method which takes the encrypted password and the salt and puts it all in one string (up to 256 Characters) in my database. In addition to that it actually only encrypts the password with a 32 Character string of my original 128 Character Salt String, which the function chooses at random.
Public Function EncryptPassword(Password As String) As String
Dim EPassword As String = String.Empty
' Generate Random 128 Base64 Salt String
Dim Salt As String = Var.Simple3Des.GenerateSalt
' Divide into Substrings, and combine into splitable string
Dim SmallSalts As String = Salt.Substring(0, 32) + "." + Salt.Substring(32, 32) + "." + Salt.Substring(64, 32) + "." + Salt.Substring(96, 32)
' Create the Salt Array
Dim SaltArray = Split(SmallSalts, ".")
' Randomly Choose part of the array to actually use as salt
Dim rnd As New Random
Dim TrueSalt As String = SaltArray(rnd.Next(0, SaltArray.Length))
' Encrypt The Password
Dim Security As New Var.Simple3Des(TrueSalt)
EPassword = Security.EncryptData(Password)
' Divide up the salt and password and place into same string
Dim PasswordString As String = Salt.Substring(0, 16) + EPassword.Substring(0, 6) + Salt.Substring(16, 112) + EPassword.Substring(6, EPassword.Length - 6)
Return PasswordString
End Function
I then use the same formula to Decry-pt the password, by trying all possible sub-string combinations until it finds the right one.
Public Function DecryptPassword(NtID As String)
' Grab The Users Encrypted Password
Dim UserID As Integer = GetAppUserID(NtID)
Dim User As Users = Var.db.Web.Users.Find(UserID)
Dim EPassword = User.Password
' Divided the Encrypted Password Into Salt and Actual Password
Dim Salt As String = EPassword.Substring(0, 16) + EPassword.Substring(22, 112)
Dim Password As String = EPassword.Substring(16, 6) + EPassword.Substring(134, EPassword.Length - 134)
Dim DPassword As String = String.Empty
' Try each substring of Salt until password is Decrypted.
Try
If DPassword = String.Empty Then
Dim Security As New Var.Simple3Des(Salt.Substring(0, 32))
DPassword = Security.DecryptData(Password)
End If
Catch ex As Exception
DPassword = String.Empty
End Try
Try
If DPassword = String.Empty Then
Dim Security As New Var.Simple3Des(Salt.Substring(32, 32))
DPassword = Security.DecryptData(Password)
End If
Catch ex As Exception
DPassword = String.Empty
End Try
Try
If DPassword = String.Empty Then
Dim Security As New Var.Simple3Des(Salt.Substring(64, 32))
DPassword = Security.DecryptData(Password)
End If
Catch ex As Exception
DPassword = String.Empty
End Try
Try
If DPassword = String.Empty Then
Dim Security As New Var.Simple3Des(Salt.Substring(96, 32))
DPassword = Security.DecryptData(Password)
End If
Catch ex As Exception
DPassword = String.Empty
End Try
Return DPassword
End Function
My question is
A. Aside from possible perfomance issues, what other dangers does this method pose?
B. Is this overkill, is salting and storing the salt/password like this even necessary?
C. If this is unnecessary what other methods could I use to salt and store salt/password?