1

I've got a webpage in asp.net, with C# as the codebehind. Every user has a hashed password, made using the PWDENCRYPT, but I do that manually using a file on the SQL Server. I'm looking at having it so that everyone can change their own passwords.

At the moment I've got:

            SqlCommand cmd = new SqlCommand("select pwdencrypt('@MyPass')", Conn);
            cmd.Parameters.AddWithValue("@MyName", txtNewPass1.Text);
            string HashedPass;
            try
            {
                Conn.Open();
                HashedPass = cmd.ExecuteScalar().ToString();
                //rdr = cmd.ExecuteReader();
                //while (rdr.Read())
                //{
                //    if (rdr["pwdencrypt"] != DBNull.Value) MyNewPassH = (string)rdr["pwdencrypt"];
                //}
            }
            finally
            {
                if (rdr != null)
                {
                    rdr.Close();
                }
                if (Conn != null)
                {
                    Conn.Close();
                }
            }

This takes the new value for our password (txtNewPass1.Text) and tries to get the hashed password into the HashedPass string. We would then (after all this) take that HashedPass and put it into the database, which is all fine and dandy.

At the moment though, this is simply returning a System.Byte[] - or something along those lines. As said, I am looking at having it in a string and then putting it into the database. Anyone got any ideas? I'm probably doing something wrong but don't quite know what.

user1560834
  • 151
  • 5
  • 16
  • 1
    Related: http://stackoverflow.com/q/615704/335858; Don't forget to add salt, your code does not seem to use it. – Sergey Kalinichenko Jul 01 '13 at 14:53
  • _Why_ do you want it to use a string? What purpose would using a string server that a byte[] can't accomplish? If you're already using pwdencrypt on the server, it's likely that your existing password column is a byte[]. – Joel Coehoorn Jul 01 '13 at 15:00
  • The password is stored as a varchar(max). I guess I could simply continue using the byte (to be honest I'm still relatively new and didn't realise I could use byte[] to return the entire value - thought it was just returning one character). – user1560834 Jul 01 '13 at 15:10

1 Answers1

2

You can convert a byte[] to a string using base64 encoding.

string encodedString = System.Convert.ToBase64String(myBytes);

Or you might want to store the bytes in your DB more directly using a BLOB or other similar data type (e.g. BINARY or VARBINARY). (I'm not too familiar with SQL Server's data types here, so I can't recommend which precisely to use.)

Tim S.
  • 55,448
  • 7
  • 96
  • 122
  • I *think* that's working. Will check whether the string it spits out will also be fine to be used as the hashed password tomorrow (just about to leave for the day). – user1560834 Jul 01 '13 at 15:09