locked
Hash password on existing database (postgre) RRS feed

  • Question

  • User-1603248099 posted

    Hey folks, 

    I am at the moment looking to rewrite a project I did in RubyOnRails in ASP.NET. All of the data for this project is on a Postgre server, which is not a problem, because I should be able to get access to its data. 

    However, before I get started, I did have a question and I believe it should be a quite simple question to answer.

    On my RubyOnRails app I used Devise for user management, which I know defaults to using the BCrypt to hash the passwords. I know I can set up BCrypt fairly easily on ASP.NET, however, I am still somewhat naive when it comes to hashing, Would I be able to still verify (or if need be, change) existing passwords through my ASP.NET project just as long as the same hash (BCrypt) is used for both project? Or is there something I could be potentially missing?

    I thought I would check to see if such a thing were possible before I approach it. 

    Sunday, February 7, 2016 2:23 PM

Answers

  • User-821857111 posted

    If the same algorithm is used to generate the hash, the resulting hash should be the same regardless of platform. In any event, this should be very simple for you to test for yourself. Take a known password from your existing app, and compare the hash to one generated by a console app using a library that implements the BCrypt. Here's one: https://www.nuget.org/packages/Zetetic.Security

    The only thing you need to check is the number of computations/iterations that Devise uses. The library I linked to uses 2^10.

    Worst case scenario, you need to get all your users to change their passwords.  

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 16, 2016 8:55 AM

All replies

  • User-821857111 posted

    If the same algorithm is used to generate the hash, the resulting hash should be the same regardless of platform. In any event, this should be very simple for you to test for yourself. Take a known password from your existing app, and compare the hash to one generated by a console app using a library that implements the BCrypt. Here's one: https://www.nuget.org/packages/Zetetic.Security

    The only thing you need to check is the number of computations/iterations that Devise uses. The library I linked to uses 2^10.

    Worst case scenario, you need to get all your users to change their passwords.  

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 16, 2016 8:55 AM
  • User-1603248099 posted

    I will have to look up the iterations. But I will do the test and see how it works out. As you say, the worst case scenario is for members to change their password. 

    I was using a different library for BCrypt, I think it was BCrypt.NET off of my head, bit I'll check out Zetetic. I'll see what my settings are for Devise, it should be the default as I've not changed anything when I wrote my original project. 

    Monday, February 22, 2016 8:20 PM