Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Password Hashing
Message
From
21/07/2016 14:38:46
Frank Cazabon
Samaan Systems Ltd
St Augustine, Trinidad
 
 
To
All
General information
Forum:
ASP.NET
Category:
Coding, syntax and commands
Title:
Password Hashing
Environment versions
Environment:
C# 4.0
Database:
MS SQL Server
Application:
Web
Miscellaneous
Thread ID:
01638543
Message ID:
01638543
Views:
83
Hi,

I'm making my first foray into trying to store hashed passwords instead of the actual password for user access.

I've created a user table in SQL Server and have a column called PasswordHash of type varbinary(50).

I tried to read it out like this:
byte[] storedHash = null;
storedHash = (byte)cmd.ExecuteScalar();
but I'm not sure what type it comes back as if the SQL data type is varbinary(50), or how to convert it properly.

Here's the full C# code:
        private bool ValidateUser(string userName, string passWord)
        {
            SqlConnection conn;
            SqlCommand cmd;
            byte[] storedHash = null;

            // convert string to stream
            byte[] byteArray = Encoding.UTF8.GetBytes(passWord);
            MemoryStream stream = new MemoryStream(byteArray);

            var sha1 = new SHA1CryptoServiceProvider();
            byte[] hashedPassword = sha1.ComputeHash(stream);

            // Check for invalid userName.
            // userName must not be null and must be between 1 and 15 characters.
            if ((null == userName) || (0 == userName.Length) || (userName.Length > 15))
            {
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.");
                return false;
            }

            // Check for invalid passWord.
            // passWord must not be null and must be between 1 and 25 characters.
            if ((null == passWord) || (0 == passWord.Length) || (passWord.Length > 25))
            {
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.");
                return false;
            }

            try
            {
                // Consult with your SQL Server administrator for an appropriate connection
                // string to use to connect to your local SQL Server.
                conn = new SqlConnection(ConfigurationManager.ConnectionStrings["DocsTSConnectionString"].ConnectionString);
                conn.Open();

                // Create SqlCommand to select pwd field from users table given supplied userName.
                cmd = new SqlCommand("Select usr_passwordhash from users where loginid=@userName", conn);
                cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25);
                cmd.Parameters["@userName"].Value = userName;

                storedHash = (Byte)cmd.ExecuteScalar();

                // Cleanup command and connection objects.
                cmd.Dispose();
                conn.Dispose();
            }
            catch (Exception ex)
            {
                // Add error handling here for debugging.
                // This error message should not be sent back to the caller.
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.Message);
            }

            // If no password found, return false.
            if (null == storedHash)
            {
                // You could write failed login attempts here to event log for additional security.
                return false;
            }

            // Compare lookupPassword and input passWord, using a case-sensitive comparison.
            return (storedHash.SequenceEqual(hashedPassword));

        }
Frank.

Frank Cazabon
Samaan Systems Ltd.
www.samaansystems.com
Next
Reply
Map
View

Click here to load this message in the networking platform