开发者

How to validate a user in asp.net web site using the existing encrypted password stored in the SQL Database?

Hi i am using the MD5 encyrption in my asp.net website where it stores the passwords to the database using the MD5 encryption.so when i want to login using the credentials entered during the registration of the user i am having trouble comparing the existing password from the database to the current one which i entered to login.As the stored password is in the e开发者_如何学Gocrypted form i am confused how to compare the encrypted format to the text format ?

I am using the Sqlserver as my database.


In addition to what @Jason said... I like salting the password.

public static string CreateSalt(int byteSize)
    {
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        byte[] buff = new byte[byteSize];
        rng.GetBytes(buff);
        return Convert.ToBase64String(buff);
    }

    public static string CreatePasswordHash(string pwd, string salt)
    {
        string saltAndPwd = String.Concat(pwd, salt);
        string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "sha1");
        return hashedPwd;
    }
  • when the user is intially created, here is the process
  • Create the salt => CreateSalt(16)
  • Create the hash with the password and salt => CreatePasswordHash(passwordEntered, salt)
  • Store the hashed password and salt
  • next time the user logs in, validate the stored credentials against what they have entered into the login form => string enteredPasswordHash = CreatePasswordHash(enteredPassword, saltFromDatabase)
  • the compare against what is in the database => if(passwordHashInDatabase != enteredPasswordHash) => wrong login credentials

Hope this helps someone...


MD5 is a one way hash, so the password in the database cannot be converted back to plain text. Instead you have to convert the plain text password (the one entered in the login form) to cypher text using the MD5 hash algorithm.


To compare the MD5 hashes you would need to query the database based on the User Name enter in the login and return the known MD5 hash and the salt (if there is one). Then hash the given password with the known salt. You can then compare the two hashes for a match.


If you are definitely storing the password in an encrypted state, then you only need to encrypt their plaintext password (using the same key) and compare it to the database value. Apples to apples. When encrypted using the same key and algorithm, it will always encrypt and decrypt to the same value.

If this doesn't appear to be working correctly, I would guess that you are not using the same key that you used when you first stored the value in the database. Double-check and make sure that the key you encrypt with is exactly the same as the key you decrypt with. Typically, many of us will use a machine or user-level certificate as a key, to ensure that the value isn't tampered with or changed.

If (instead) you are using MD5 to hash the password, then it's not actually encrypted. Hashing totally munges the plaintext value and you will never get it back. It's the safest and smartest way to store passwords. You merely hash the plaintext into an encoded value and save it to the database -- then, you compare against that hashed value any time the user logs in.

I'm hoping you are hashing and not encrypting. It's definitely a best practice when it comes to password storage. It's very easy to implement and will save you headaches if you're ever audited.

Good luck!

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜