Trying to update hashed password c#

Question

i'm trying to update my database with a new hashed password on asp.net with a change password form,but it isn't working nor giving me errors.

I'm using bcrypt for hashing.Registration and Login are working just fine,but changing the hashed password is difficult.

        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["dbconnection"].ConnectionString);
        con.Open();
       //Select
       string query = "select password from Users where name=@name";

      SqlCommand cmd = new SqlCommand(query, con);
        cmd.Parameters.AddWithValue("@password", txtOld.Text.Trim());
        cmd.Parameters.AddWithValue("@name", LblUser.Text);





        //Update
        try { 
        string queryupdate = "UPDATE Users SET password=@newpassword WHERE name=@name";
            SqlCommand cmd1 = new SqlCommand(queryupdate, con); 
            string salt = BCr.BCrypt.GenerateSalt(12);
            // if you look at the hashed password, notice that it's prepended with the salt generated above
            string hashedPassword = BCr.BCrypt.HashPassword(txtConfirm.Text.Trim(), salt);
            cmd1.Parameters.AddWithValue("@name", LblUser.Text);
            cmd1.Parameters.AddWithValue("@newpassword", hashedPassword);
            cmd1.Parameters.AddWithValue("@password", txtOld.Text.Trim());
            cmd1.ExecuteNonQuery();
            LblUser.Text = "Password changed successfully";
            LblUser.ForeColor = System.Drawing.Color.Green;



        }

        catch(Exception ex)
        { 
           LblUser.Text = "Something Went Wrong";
           LblUser.ForeColor = System.Drawing.Color.Red;
        }

How are you verifying of the password is changed or not? Are you seeing label text changed to " password changed successfully"? — Chetan, May 16 '18 at 00:52
I stored the code for verifying elsewhere because with or without it,it still isn't updating.Yes,i'm always seeing the label.Damn,this is difficult haha. — Pedro Sanches, May 16 '18 at 00:57
@Pedro Sanches, in your try catch can you add a console/debug line to print the exception? Currently you catch an exception but not doing anything with it — Stasis, May 16 '18 at 01:30
@Pedro, and also why do you need the line cmd1.Parameters.AddWithValue("@password", txtOld.Text.Trim()); you are not using it in that query anyway try removing it — Stasis, May 16 '18 at 01:32
Don't you also need to store the new hash? Otherwise how will you you be able to verify the user's password when they login again. Or because it's `prepended` to the hashed password maybe the algo takes care of it? — pmcilreavy, May 16 '18 at 01:33
If this is the same method btw, i believe it wouldn't work too. — Stasis, May 16 '18 at 01:37
@pmcilreavy The second part is right -- it's built-in to bcrypt, no separate hash. — wazz, May 16 '18 at 02:30
Fwiw, passwords for my provider are in the Membership table, not the Users table. — wazz, May 16 '18 at 02:36
I removed some unnecessary code and i added a debug line as @Stasis pointed out,no exceptions are showing up.I see what i can do when i get home. — Pedro Sanches, May 16 '18 at 10:12
I used int count = cmd1.ExecuteNonQuery(); and a if else statement and it's returning 0 rows affected for me.Is the error here? — Pedro Sanches, May 16 '18 at 15:58

Chris McKee · Accepted Answer · 2018-05-22T14:26:39.213

I'm assuming you're using the newer version of the bcrypt library https://www.nuget.org/packages/BCrypt.Net-Next/ rather than the old one with bugs.

Firstly don't generate the salt yourself this is dealt with in the library.

You can generate a new password hash securely by simply calling

var myNewHash = BCrypt.ValidateAndReplacePassword(currentPassword, currentHash, newPassword);

This of course forces the process to require the user to enter their current password in order to change their password (this is best practice).

If you're doing this in the sense of a password reset you should hash the password using

var myNewHash = BCrypt.HashPassword("newpassword");

As documented at the start of the readme https://github.com/BcryptNet/bcrypt.net

As for the SQL element; I'd consider using EF or Dapper.Net over direct ADO manipulation. SQL parameterisation isn't foolproof protection against SQLI Examples of SQL injection even when using SQLParameter in .NET?

If you're using ADO though make sure you specify your parameter types ala

  var connect = ConfigurationManager.ConnectionStrings["NorthWind"].ToString();
  var query = "Select * From Products Where ProductID = @ProductID";
  using (var conn = new SqlConnection(connect))
  {
    using (var cmd = new SqlCommand(query, conn))
    {
      cmd.Parameters.Add("@ProductID", SqlDbType.Int);
      cmd.Parameters["@ProductID"].Value = Convert.ToInt32(Request["ProductID"]);
      conn.Open();

      conn.Open();
      //Process results
    }
  }

Disclaimer: I'm the author of the listed repo

Code sample for ADO from https://www.mikesdotnetting.com/article/113/preventing-sql-injection-in-asp-net

When you use EF to call a stored procedure which creates a sql command using those parameters, you have the same vulnerability as ADO — Hans Keﬆing, May 22 '18 at 11:48
@PedroSanches good stuff; let me know if you have any issues; I'm on twitter ala chrismckee — Chris McKee, May 22 '18 at 15:21

Trying to update hashed password c#

1 Answers1