-1

I am trying to store the hashed password in the database. Like given below.

Md5Encrypt.Md5EncryptPassword(viewModel.User.PasswordHash);

Textual Password : TestBasant1900

And it get stored in my Database table in sql server like this after passing this into Md5Encrypt : zb??"??8?(Y???0z

When I am trying to check the password in Database and current user logged in password :

 public bool Login(string userName, string password)
        {
            try
            {
                using (var db1 = new DBEnitityObj)
                {

                    var user = (from u in db1.ftUsers
                                where (u.UserName == userName && u.IsApproved == true)
                                select u).First();

                    var PasswordHash1 = user.PasswordHash;
                    var encoded = Md5Encrypt.Md5EncryptPassword(password);
                    // It fails in the below condition

                    return user.PasswordHash.Equals(encoded);
                }
            }
            catch
            {
                return false;
            }
        }

It fails in the below condition since the hashed password over here will return this : zb��"��8�(Y���0z

I am using this for md5 Hashing

public static string Md5EncryptPassword(string data)
        {
            var encoding = new ASCIIEncoding();
            var bytes = encoding.GetBytes(data);
            var hashed = MD5.Create().ComputeHash(bytes);
            return Encoding.UTF8.GetString(hashed);
        }

Can any one please tell me what is hashed password is not getting matched with password which I enter on the user interface

zb��"��8�(Y���0z is not equal to zb??"??8?(Y???0z

Can some one guide me what to do guys. Thanks in advance.

Shanu Garg
  • 21
  • 3
  • 1
    What is the datatype in the database for the password field? – Thomas Weller Feb 24 '21 at 15:47
  • [Compute/compare hash values](https://learn.microsoft.com/en-us/troubleshoot/dotnet/csharp/compute-hash-values)... you need to compare your source (database) hash against the computed hash of the password you pass in to check against. – Trevor Feb 24 '21 at 15:48
  • @ThomasWeller in table in sql server the column name datatype is nvarchar(MAX) and in store procedure in code behind I am using cmd.Parameters.Add("@PasswordHash", SqlDbType.VarChar, 50); – Shanu Garg Feb 24 '21 at 15:50
  • 2
    @ShanuGarg You cannot just convert the hashed bytes to a UTF8 string. This will fail. Better use base64 for this. Refer to https://learn.microsoft.com/en-us/dotnet/api/system.convert.tobase64string?view=net-5.0 Please note that a base64 string might contain more bytes than the byte[] it was parsed from. – Dominik Feb 24 '21 at 15:58
  • To be honest here, you have more than one issue, as explained below by @Thomas Weller is one of them. Once you get that straightened out, please see my comment from above; specifically you need to compare hashes (byte arrays) which also confirms the hashes are identical; you don't compare strings of hashes. – Trevor Feb 24 '21 at 15:58
  • 1
    Once you've sorted this you'd better use a more appropriate method to hash your passwords. Take a look at pbkdf2, bcrypt or argon2. DO NOT GO IN TO PRODUCTION WITH MD5, it is easy to find a reverse hash and not recommended for password hashing. – phuzi Feb 24 '21 at 16:20

1 Answers1

2

You store the data as VARCHAR, which is a string (text). MD5 gives you bytes. It is not guaranteed that these bytes are convertible to a string (text). The � character is the Unicode replacement character and means that there was an illegal character.

You either want to store the result as binary data (BLOB) or you want to ensure that it becomes simple text by encoding it in Base64 or hex for example.

Kit
  • 20,354
  • 4
  • 60
  • 103
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222