1

I am hashing password together with a user login and saving it in the database as VARBINARY 20 bytes long.

Now, I am trying to build Login page in asp.net. How can I source the password value from database to compare it with the one provided by the user? I use SqlDataReader to read the database.

Regards,

Bartosz

Bartosz
  • 4,542
  • 11
  • 43
  • 69
  • Information about hashing vs. encrypting: [Difference between Hashing a Password and Encrypting it](http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it?rq=1) – Martin Liversage Sep 13 '12 at 10:12
  • 1
    Don't forget to add a [salt](http://en.wikipedia.org/wiki/Salt_(cryptography)) – Bart Verkoeijen Sep 13 '12 at 10:25

4 Answers4

1

You need to store these in a table containing a column with the Username in clear text so you can get the hash according to the User trying to login. and compare the hashed input with the hashed stored one.

CloudyMarble
  • 36,908
  • 70
  • 97
  • 130
  • I do have Username in clear text saved in database. Its sourcing hashed password and converting it into byte[] for comparison I can't do. – Bartosz Sep 13 '12 at 10:43
0

You don't unhash the database password and compare it to the input.

You hash the input and compare it to the password. If the two hashes match, you assume it's the same password1.

1Technically, depending on your hash function, it might not be, as the user could have randomly entered a password which hashes to the same value as the real password, but that's being pedantic ;)

RB.
  • 36,301
  • 12
  • 91
  • 131
  • And this is what I'm trying to do. But, how can I convert the reader["password"] which consist my hashed password into byte[] for comparison? – Bartosz Sep 13 '12 at 10:48
  • (Byte[])reader["usrPassword"] I was looking for. Thanks anyway – Bartosz Sep 13 '12 at 10:58
0

you create a hash (with same same algorithm as used to create the initial hash) over the password the user enters and search in the db if the hash is the same as the initial hash --> is yes it was the same password

the idea of the hash is to have a unreturnable function --> you can check if its the same, but you will never be able to reconstruct the input data.

fixagon
  • 5,506
  • 22
  • 26
  • And this is what I'm trying to do. But, how can I convert the reader["password"] which consist my hashed password into byte[] for comparison? – Bartosz Sep 13 '12 at 10:48
0

As RB. said, you retrieve the hashed passed from the database. Then you take the password provided by the user and hash it using the same hashing algorithm you used previously. If the hashcode from the database matches the hashcode for the user entered password, then the password is correct.

tranceporter
  • 2,241
  • 1
  • 21
  • 23
  • And this is what I'm trying to do. But, how can I convert the reader["password"] which consist my hashed password into byte[] for comparison? – Bartosz Sep 13 '12 at 10:47
  • Have a look at a similar question. There is code to compue hash in bytes. http://stackoverflow.com/questions/2687196/asp-net-membership-c-sharp-how-to-compare-existing-password-hash – tranceporter Sep 13 '12 at 10:58