How to store & retrieve password in sql server?

Question

How to store password in sql database and is there any need to convert the user input password? I tried to save password from textbox that as password mode in the form that stored blank/null in database. When I disabled password mode to text works fine.

Not enough info in your question to providing a meaningful answer. Can you post some code, SQL, table definitions, etc? — RickNZ, Dec 25 '11 at 06:53
encrypt with some other 2 way algorithm if you need the password for some reason in future. example if it was not a password but a secret string you need to display.... — tgkprog, Apr 14 '14 at 13:51
http://stackoverflow.com/questions/165808/simple-two-way-encryption-for-c-sharp — tgkprog, Apr 14 '14 at 17:29

score 2 · Accepted Answer · answered Dec 25 '11 at 05:44

Storing password in encrypted format will be a good practice. you can use md5 hashing algorithm for encrypting it. Here is the sample code for hashing string

using System;
using System.Text;
using System.Security.Cryptography;

// Create an md5 sum string of this string
static public string GetMd5Sum(string str)
{
// First we need to convert the string into bytes, which
// means using a text encoder.
Encoder enc = System.Text.Encoding.Unicode.GetEncoder();

// Create a buffer large enough to hold the string
byte[] unicodeText = new byte[str.Length * 2];
enc.GetBytes(str.ToCharArray(), 0, str.Length, unicodeText, 0, true);

// Now that we have a byte array we can ask the CSP to hash it
MD5 md5 = new MD5CryptoServiceProvider();
byte[] result = md5.ComputeHash(unicodeText);

// Build the final string by converting each byte
// into hex and appending it to a StringBuilder
StringBuilder sb = new StringBuilder();
for (int i=0;i<result.Length;i++)
{
    sb.Append(result[i].ToString("X2"));
}

// And return it
return sb.ToString();
}

You cannot reverse back the encrypted text to normal string..

Contact if there is any doubt.

thanks for reply Meherzad, what does work of "x2" in sb.Append(result[i].ToString("X2")); ? — Abhishek Nayak, Dec 25 '11 at 09:08

score 1 · Answer 2 · edited Feb 01 '20 at 17:51

I propose that one should covert the password in-place and save it in database, generally, we don't save plain text in database; hence it should be an encrypted password.

For database design,

In the database add two fields of Cipher text and key in table to store the password process and ultimately the user password.

Then the program should encrypt the password, and save Cipher text and key into datatable columns as mentioned.

Then once the user logs on again, the process of just comparing Cipher text equal or not will give a login status of success or failure.

Example Code

    /// <summary>
    /// Encrypts the specified hash algorithm.
    /// 1. Generates a cryptographic Hash Key for the provided text data.
    /// </summary>
    /// <param name="hashAlgorithm">The hash algorithm.</param>
    /// <param name="dataToHash">The data to hash.</param>
    /// <returns></returns>
    public static string Encrypt(HashAlgorithm hashAlgorithm, string dataToHash)
    {

        var tabStringHex = new string[16];
        var UTF8 = new System.Text.UTF8Encoding();
        byte[] data = UTF8.GetBytes(dataToHash);
        byte[] result = hashAlgorithm.ComputeHash(data);
        var hexResult = new StringBuilder(result.Length);

        for (int i = 0; i < result.Length; i++)
        {
            //// Convert to hexadecimal
            hexResult.Append(result[i].ToString("X2"));
        }


return hexResult.ToString();
}


/// <summary>
/// Determines whether [is hash match] [the specified hash algorithm].
/// </summary>
/// <param name="hashAlgorithm">The hash algorithm.</param>
/// <param name="hashedText">The hashed text.</param>
/// <param name="unhashedText">The unhashed text.</param>
/// <returns>
///   <c>true</c> if [is hash match] [the specified hash algorithm]; 
/// otherwise, <c>false</c>.
/// </returns>
public static bool IsHashMatch(HashAlgorithm hashAlgorithm,
    string hashedText, string unhashedText)
{
    string hashedTextToCompare = Encrypt(
        hashAlgorithm, unhashedText);
    return (String.Compare(hashedText,
        hashedTextToCompare, false) == 0);
}

score 0 · Answer 3 · answered Dec 25 '11 at 05:47

0

Generally no , It has not need to convert it (at least according to my experiences) , but for more security reasons some users use a encryption /decryption method or convert it to base64 and the best way is one-way algorithm like Hash

Ali

answered Dec 25 '11 at 05:47

Ali Foroughi

4,540
7
42
66

score 0 · Answer 4 · answered Dec 25 '11 at 07:02

I'm assuming you are using some type of databound control.

I would create an onInserting event and assign the tbPassword.text value to some variable, and debug to see if the password is being assigned to the variable first. This would also be where you hash and salt the password to prevent someone directly hacking into your database from being able to impersonate any of your users.

If you are saving the password values in the code behind, then you can skip adding the onInserting step from above and just examine the values there.

If you are saving using a stored procedure also, you might want to print out the parameter and run it with the values you are passing from the web site and see what shows up.

How to store & retrieve password in sql server?

4 Answers4