Thanks Rick,
If I had continued that way I would have added the salt, but as it is the built in stuff does the salting for me. The hardest part with it so far was understanding how it worked and moving it from a separate database to my own database as I need to link records in my database with the user who is currently logged in. I've got all that working nicely. Next step is to do a screen to allow a Role to be assigned to a user.
>Hi Frank,
>
>This is a good start but you probably want to add some salt to your hashing algorithm to ensure you can't do a lookup table match on your data. using plain hashes against standard hashing algorithms are not sufficient as the base hashes you can do a reverse look up even online and match.
>
>To add salt this you need to add some random salt or better yet a per key salt (like the primary key) to ensure the hashed values are specific to your application or even better to each hashed value.
>
>I posted a wwEncrypt class sample here a while back that you can search for that should give you an idea on how this works.
>
>
>
>+++ Rick ---
>
>>Hi,
>>
>>I'm making my first foray into trying to store hashed passwords instead of the actual password for user access.
>>
>>I've created a user table in SQL Server and have a column called PasswordHash of type varbinary(50).
>>
>>I tried to read it out like this:
>>
>>
byte[] storedHash = null;
>>storedHash = (byte)cmd.ExecuteScalar();
>>
>>but I'm not sure what type it comes back as if the SQL data type is varbinary(50), or how to convert it properly.
>>
>>Here's the full C# code:
>>
>>
private bool ValidateUser(string userName, string passWord)
>> {
>> SqlConnection conn;
>> SqlCommand cmd;
>> byte[] storedHash = null;
>>
>> // convert string to stream
>> byte[] byteArray = Encoding.UTF8.GetBytes(passWord);
>> MemoryStream stream = new MemoryStream(byteArray);
>>
>> var sha1 = new SHA1CryptoServiceProvider();
>> byte[] hashedPassword = sha1.ComputeHash(stream);
>>
>> // Check for invalid userName.
>> // userName must not be null and must be between 1 and 15 characters.
>> if ((null == userName) || (0 == userName.Length) || (userName.Length > 15))
>> {
>> System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.");
>> return false;
>> }
>>
>> // Check for invalid passWord.
>> // passWord must not be null and must be between 1 and 25 characters.
>> if ((null == passWord) || (0 == passWord.Length) || (passWord.Length > 25))
>> {
>> System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.");
>> return false;
>> }
>>
>> try
>> {
>> // Consult with your SQL Server administrator for an appropriate connection
>> // string to use to connect to your local SQL Server.
>> conn = new SqlConnection(ConfigurationManager.ConnectionStrings["DocsTSConnectionString"].ConnectionString);
>> conn.Open();
>>
>> // Create SqlCommand to select pwd field from users table given supplied userName.
>> cmd = new SqlCommand("Select usr_passwordhash from users where loginid=@userName", conn);
>> cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25);
>> cmd.Parameters["@userName"].Value = userName;
>>
>> storedHash = (Byte)cmd.ExecuteScalar();
>>
>> // Cleanup command and connection objects.
>> cmd.Dispose();
>> conn.Dispose();
>> }
>> catch (Exception ex)
>> {
>> // Add error handling here for debugging.
>> // This error message should not be sent back to the caller.
>> System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.Message);
>> }
>>
>> // If no password found, return false.
>> if (null == storedHash)
>> {
>> // You could write failed login attempts here to event log for additional security.
>> return false;
>> }
>>
>> // Compare lookupPassword and input passWord, using a case-sensitive comparison.
>> return (storedHash.SequenceEqual(hashedPassword));
>>
>> }
>>
