0

I'm developing an ASP.NET application using SQL Server Stored Procedures. I need to hash my login password and resolve it in my sp_LoginCheck Stored Procedure.

Any suggestions?

I have already inserted data in the database.

For example:

UserName/Password

ABC/123456

DEF/987654

I want to encrypt or hash whatsoever the password then decrypt it in the stored procedure and query the table so that I can acquire the data.

Improve this question
11
  • Refer to this link over here msdn.microsoft.com/en-us/library/… But also read on other security measures like salting the password as well. Commented Jun 16, 2015 at 8:19
  • thank you for your answer but I could not see anything about resolving a password in the stored procedure? Commented Jun 16, 2015 at 8:28
  • Define "resolve" - What do you mean by that. Resolve it how? Commented Jun 16, 2015 at 8:31
  • 1
    Why do you need to decrypt the password? Commented Jun 16, 2015 at 8:48
  • 1
    Hashing is forward only. If you have plain password in the DB then what you can do is applying the hash on the password from the DB before comparing. Other solution is to use a util to encrypt all your passwords in the DB which is best for security reasons. Commented Jun 16, 2015 at 13:28

2 Answers 2

Reset to default
2

A very simple aproach is to use a MD5 hash.

public class MD5
{
    public static string Hash(string message)
    {
        // step 1, calculate MD5 hash from input
        System.Security.Cryptography.MD5 md5 = System.Security.Cryptography.MD5.Create();
        byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(message);
        byte[] hash = md5.ComputeHash(inputBytes);

        // step 2, convert byte array to hex string
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < hash.Length; i++)
        {
            sb.Append(hash[i].ToString("X2"));
        }
        return sb.ToString().ToUpper();
    }
}

Then in your application

You say

var password = MD5.hash(passwordField);

And store that in the DB.

When validating the password you just say something like

db.Account.Where(w => w.email == emailField && w.password == MD5.hash(passwordField)

to see if you have a matching record.

As @zulq said there are better systems something that has a salt etc, however for basic password hashing as you requested, this will work.

However if you wish to do all this in a stored procedure. You can use the following HASHBYTES function in SQL

HASHBYTES('md5', 'your password')

So same again when calling the stored procedure, you pass it the plain text password it hashes and stores

When validating you pass a stored procedure the username / password it validates and returns true or false or a row.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You should probably show something with a salt - Better safe than sorry. MD5 for password hashing is also completely broken now and should be avoided.
this code you suggessted "hashbytes('md5', 'ppp000')" this code gives me 'd1bc6a15137d02274c9cd9f0bbc527ef' this result, however I want the exact opposite of this code, like the result of hashbytes('md5', 'd1bc6a15137d02274c9cd9f0bbc527ef') should be "ppp000"
no @sulhadin you can never reverse a hash, its one way. You say hash of A = XYZ, then when someone types A you have the hash XYZ stored int he DB, you has the A again and see if it matches whats stored. If you need something reversable you need encryption not a hash
1

I think you need to be more specific on what exactly you want. However there's a full answer below. Stored Procedure:

USE [YourDB]
GO
CREATE PROCEDURE [dbo].[sp_LoginCheck] @UserID varchar(25), @password varchar(25)
AS
SELECT username, user_password FROM UserPassword 
WHERE username = @UserID and user_password=@password
GO

VB Code:

  Public Function validateUser(username As String, password As String) as Boolean
       Using sqlCon = new SqlConnection(yourConStr)
          Dim cmd = new SqlCommand("sp_LoginCheck",sqlCon)
          cmd.CommandType = CommandType.StoredProcedure
          cmd.Parameters.AddWithValue("@UserID",username)
          cmd.Parameters.AddWithValue("@password",GetMd5Hash(password))
          sqlCon.Open()
          Dim dr As SqlDataReader = cmd.ExecuteReader()
          If dr.Read() Then
           Return True
          Else
           Return False
       End Using
   End Function

Note, you should enclose the code in try catch and do the password hashing. You should store the hashed password and when comparing compare with the hashed to the db. Refer to the other answer for hashing.

For your convenience straight from MSDN and slightly modified:

Shared Function GetMd5Hash(ByVal input As String) As String 
    Dim md5Hash As MD5 = MD5.Create()        
    Dim data As Byte() = md5Hash.ComputeHash(Encoding.UTF8.GetBytes(input))            
    Dim sBuilder As New StringBuilder()
    Dim i As Integer 
    For i = 0 To data.Length - 1
        sBuilder.Append(data(i).ToString("x2"))
    Next i    
    Return sBuilder.ToString()    
End Function
Improve this answer

4 Comments

Please read the post fully. Get it straight from MSDN link I sent on my first comment.
if my password in the database is "123456", what will be the result once I use the code you suggested?
Then change GetMd5Hash(password) to password where you add the parameter for the password. But the best thing is to hash and salt all your passwords in the DB.
@zulq a hash is a one way algorithm. Meaning you cant get the password. If you want something that is reversable you should look at encryption. However if you are using this to store passwords its a very very very bad idea.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.