Updating existing LocalDB entry with hashed password?

Question

I'm developing a task (nothing professional, just for learning), where I have an application that has a web application in ASP.NET and an administrator application in WPF. Both of these projects connect to the same localdb database. The task is to make sure that only non-admins can register on the web app, but admins on the WPF app also need authentication (and the Users table also has some dependencies).

So, the database is like:

UsrName  UsrPwd   IsAdmin
admin    NULL     True
nonadmin kdjfgbjk False

My issue is, that the UsrPwd only contains the hashed passwords for the users bc of security reasons. Now. Since only the non-admins get to register on the web app, I don't know how I can add passwords to the admins because of the hashing - I added the admins via SQL queries (that's why their UsrPwd are NULL).

So my question is: How can I update the password for an administrator user so that I know what the password is (think of me as the system administrator providing the initial passwords), BUT only the hashed password gets saved in the database?

I thought about solving the issue by registering a user and changing the IsAdmin to True via SQL, but since there's some foreign key dependencies on the admin usernames, I'd rather not do that (I'd have to rebuild the database).

Is there any way I can add passwords to the admin users? I think the keyword here is some kind of code-first migration maybe (?) but I don't how to do that or if that's even the way to go.

Thank you!

EDIT

I'm not really using Identity nor OWIN or such thing, all I do is:

using (SHA512CryptoServiceProvider provider = new SHA512CryptoServiceProvider())
{
    passwordBytes = provider.ComputeHash(Encoding.UTF8.GetBytes(user.UserPassword));
}

_entities.SoftwareUser.Add(new SoftwareUser
{
    UsrName = user.UserName,
    UsrPwd = passwordBytes,
    IsAdmin = false,
});

Where SoftwareUser is the entity generated based on the database.

Are you using ASP.NET Membership or Identity? Here's a link on how to reverse and recreate password hashing for membership http://stackoverflow.com/questions/1137368/what-is-default-hash-algorithm-that-asp-net-membership-uses — WithMetta, May 15 '17 at 16:24
Here's a post explaining how Identity works http://stackoverflow.com/questions/20621950/asp-net-identity-default-password-hasher-how-does-it-work-and-is-it-secure — WithMetta, May 15 '17 at 16:26
@WithMetta I don't think I'm using either, I'm just manually hashing the passwords (updated the post with code). — lte__, May 15 '17 at 16:35

score 0 · Accepted Answer · answered May 15 '17 at 16:50

0

I would put this somewhere that runs upon your web application's start.

Func<string, byte[]> getPwHash = (pwStr) => {
    using (SHA512CryptoServiceProvider provider = new SHA512CryptoServiceProvider())
    {
        return provider.ComputeHash(Encoding.UTF8.GetBytes(pwStr));
    }            
};



var nullpwUsers = _entities.SoftwareUser.Where(user => user.UsrPwd == null);
foreach(var user in nullpwUsers) 
{
    user.UserPwd = getPwHash("DefaultPassword");
}
_entities.SaveChanges();

answered May 15 '17 at 16:50

WithMetta

381
1
5

Cool! Only problem is, my `SoftwareEntities : DbContext` doesn't seem to have a `.Where` function. – lte__ May 15 '17 at 17:20
`DbSet does not contain definition for 'Where' and no extendion method ... ` error pops up. – lte__ May 15 '17 at 17:22
1

Oh scrap that, I was missing a `Linq` import. Thank you! – lte__ May 15 '17 at 17:24

Updating existing LocalDB entry with hashed password?

1 Answers1