3

Scenario:

  • An old ASP.NET 2.0 application that uses SQL Server 2005.
  • Passwords are stored in the database in plain text
  • We want to upgrade the app to use forms authentication
  • Need to recreate all the passwords just like forms authentication would

Question:

  • How do we generate hashed passwords (with salts) using T-SQL for storage in the database that would be identical to the ones that forms authentication would generate:

So how do create this:

DHSicgbY+Av0LyQpBZl2M5EuyOk=

which is a hashed password (plus salt), but using T-SQL instead?

Drongo
  • 43
  • 2
  • You can start from this example: [T-SQL: Salted Passwords](http://stackoverflow.com/questions/5985708/t-sql-salted-passwords) – von v. Feb 21 '13 at 00:35

1 Answers1

0

Under SQL Server 2005, use HASHBYTES() preferably using the SHA1 hash algorithm. (SQL Server 2012 now supports SHA-256 and SHA-512)

You can use NEWID() to generate random GUIDs for your salts.

Returns the MD2, MD4, MD5, SHA, or SHA1 hash of its input.

As @von v. pointed out: T-SQL: Salted Passwords

Community
  • 1
  • 1
Mitch Wheat
  • 295,962
  • 43
  • 465
  • 541