none
Hash and salt Password form not allowing user to login RRS feed

  • Question

  • I am using a hash and salt password formation to try to  login users but I kept getting "Sorry, Username or password is Invalid" Pls ignore the SQL injunction problem with these code.  I will fix it  later but first I wand to make sure that the login part is working properly.  I am just wondering if I am missing anything.   

    Thanks for your time 

    Tuesday, December 19, 2017 3:08 PM

All replies

  • Please disregard the above, I figured out what I was not doing , let me go fix and will get back to  the forum if it does not solve the proble. Thanks 

    AL

    Tuesday, December 19, 2017 3:25 PM
  • Hi alobi,

    If you resolve the issue, could you please share the solution and mark it as answer, it will be beneficial to other communities who have the similar issue.

    If the issue still exist, please provide more information and feel free let us know.

    Best regards,

    Zhanglong Wu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, December 20, 2017 5:45 AM
    Moderator
  • It was not resolved, I just had an idea  but it did not work.

    The hashing and salt process is working fine. It saves properly on table Users as Password but I run into problem when I tried to process a plain password against the saved password. Below is my  code. Will appreciate all help.

      

     Private Sub btnLogin_Click(sender As Object, e As EventArgs) Handles btnLogin.Click
            Dim hashedpasswrd As String = ""
            hashedpasswrd = (Hash512(txtPlainPassword.Text, CreateRandomSalt))
    
            Dim conn As OleDbConnection
            conn = New OleDbConnection(connString)
            conn.Open()
            Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM Users WHERE [UserName] =@Usernae AND [Password] =@Pswrd", conn)
    
            cmd.Parameters.AddWithValue("@UserName", Txthash.Text)
            cmd.Parameters.AddWithValue("@Pswrd", hashedpasswrd)
            Dim dr As OleDbDataReader = cmd.ExecuteReader
            ' The following variable hold true if user is found atherwise it holds false
            Dim userFound As Boolean = False
                  
    
            'checking the result
    
            If userFound = True Then
                 frmMain.Show()
                           Me.Hide()
            Else
                
                MsgBox("Sorry, username or password not valid", MsgBoxStyle.OkOnly, "Invalid Login")
    
               
            End If
            conn.Close()
    
        End Sub
    AL
    Wednesday, December 20, 2017 4:06 PM
  • alobi,

    This works:

    Public Class Form1
        Private Sub _
            Form1_Load(sender As System.Object, _
                       e As System.EventArgs) _
                       Handles MyBase.Load
    
            Const password As String = "MyPassword"
    
            Dim hash As String = _
                HashString(password, HashGenerator.HashAlgorithm.SHA1, HashGenerator.HashStringFormat.ConvertToHexString)
    
            Const test1 As String = "MyPassword"
    
            Dim testHash As String = _
                HashString(password, HashGenerator.HashAlgorithm.SHA1, HashGenerator.HashStringFormat.ConvertToHexString)
    
            If HashCompare(hash, testHash) Then
                MessageBox.Show("The hash of the strings match.", "Success")
            Else
                MessageBox.Show("The hash of the strings do NOT match.", "Failed")
            End If
    
            Stop
    
        End Sub
    End Class

    You can duplicate that if you want and you'll see that they do match. If you change it even a little though (check spelling and case), they won't match which is why it's a great solution.

    ***** EDIT *****


    "A problem well stated is a problem half solved.” - Charles F. Kettering


    • Edited by Frank L. Smith Wednesday, December 20, 2017 8:04 PM ...forgot the screenshot
    Wednesday, December 20, 2017 8:02 PM
  • part1 I am not sure how to translate this to what I am doing,I am not very strong at this. I am comparing with a password in the database. (the password is a combination of plain password and salt). this is created when the user first signs up. This part is working fine, it is saving in database Ok.

    Part 2: this is where I am having the issues. when the user returns to login, types the plain password I need to create hashedpassword and compare it with password in the table, if there is a match the user will be allowed to continue.

    • Edited by alobi Thursday, December 21, 2017 9:07 AM
    Thursday, December 21, 2017 7:29 AM
  • part1 I am not sure how to translate this to what I am doing,I am not very strong at this. I am comparing with a password in the database. (the password is a combination of plain password and salt). this is created when the user first signs up. This part is working fine, it is saving in database Ok.

    Part 2: this is where I am having the issues. when the user returns to login, types the plain password I need to create hashedpassword and compare it with password in the table, if there is a match the user will be allowed to continue.

    For right now, forget hashing or applying salt to the hash ... all of that.

    In a new test project, let's try something else instead. My goal here is that you can see that they compare the same (because they are the same):

    Public Class Form1
        Private Sub _
            Form1_Load(sender As System.Object, _
                       e As System.EventArgs) _
                       Handles MyBase.Load
    
            Const password As String = "MyPassword"
    
            Dim encryptedString1 As String = Nothing
            Dim encryptedString2 As String = Nothing
    
            Using s3d As New Simple3Des
                encryptedString1 = s3d.EncryptData(password)
                encryptedString2 = s3d.EncryptData(password)
            End Using
    
            MessageBox.Show(String.Format("Encrypted 1: {0}{1}Encrypted 2: {2}", _
                                          encryptedString1, vbCrLf, encryptedString2), _
                                          "These are the same.")
    
    
            ' Let’s do this programmatically -- String
            ' equality is built so I’ll use it following:
    
            If encryptedString1.Equals(encryptedString2) Then
                MessageBox.Show("They are equal.", "Result")
            Else
                MessageBox.Show("They are not equal.", "Result")
            End If
    
            Stop
    
        End Sub
    
       
    End Class
    
    
    
    
    
    ''' <summary>
    ''' A method which will encrypt/decrypt a string.
    ''' </summary>
    ''' <remarks>Based on: https://msdn.microsoft.com/en-us/library/ms172831.aspx</remarks>
    Public NotInheritable Class Simple3Des
        Implements IDisposable
    
        Private TripleDes As New Security.Cryptography.TripleDESCryptoServiceProvider
    
        Sub New()
    
            ' If you were going to obfuscate this, setting the following
            ' to a constant would be a horrible idea!
    
            Const key As String = "JEj7#r4chAfa"
    
            TripleDes.Key = TruncateHash(key, TripleDes.KeySize \ 8)
            TripleDes.IV = TruncateHash("", TripleDes.BlockSize \ 8)
        End Sub
    
        Public Function EncryptData(ByVal plaintext As String) _
            As String
    
            ' Convert the plaintext string to a byte array. 
            Dim plaintextBytes() As Byte = _
                System.Text.Encoding.Unicode.GetBytes(plaintext)
    
            ' Create the stream. 
            Dim ms As New System.IO.MemoryStream
            ' Create the encoder to write to the stream. 
            Dim encStream As New Security.Cryptography.CryptoStream(ms, _
                TripleDes.CreateEncryptor(), _
                System.Security.Cryptography.CryptoStreamMode.Write)
    
            ' Use the crypto stream to write the byte array to the stream.
            encStream.Write(plaintextBytes, 0, plaintextBytes.Length)
            encStream.FlushFinalBlock()
    
            ' Convert the encrypted stream to a printable string. 
            Return Convert.ToBase64String(ms.ToArray)
        End Function
    
        Public Function DecryptData(ByVal encryptedtext As String) _
            As String
    
            ' Convert the encrypted text string to a byte array. 
            Dim encryptedBytes() As Byte = Convert.FromBase64String(encryptedtext)
    
            ' Create the stream. 
            Dim ms As New System.IO.MemoryStream
            ' Create the decoder to write to the stream. 
            Dim decStream As New Security.Cryptography.CryptoStream(ms, _
                TripleDes.CreateDecryptor(), _
                System.Security.Cryptography.CryptoStreamMode.Write)
    
            ' Use the crypto stream to write the byte array to the stream.
            decStream.Write(encryptedBytes, 0, encryptedBytes.Length)
            decStream.FlushFinalBlock()
    
            ' Convert the plaintext stream to a string. 
            Return System.Text.Encoding.Unicode.GetString(ms.ToArray)
        End Function
    
        Private Function TruncateHash(ByVal key As String, _
                                      ByVal length As Integer) _
                                      As Byte()
    
            Dim sha1 As New Security.Cryptography.SHA1CryptoServiceProvider
    
            ' Hash the key. 
            Dim keyBytes() As Byte = _
                System.Text.Encoding.Unicode.GetBytes(key)
            Dim hash() As Byte = sha1.ComputeHash(keyBytes)
    
            ' Truncate or pad the hash. 
            ReDim Preserve hash(length - 1)
            Return hash
        End Function
    
        Public Sub Dispose() Implements IDisposable.Dispose
            If TripleDes IsNot Nothing Then
                TripleDes.Dispose()
                TripleDes = Nothing
            End If
        End Sub
    End Class

    Once you do that then put just the encrypted value in your datatable and run it again. That's not a good substitute but it will get thing started here.

    Let me know please?


    "A problem well stated is a problem half solved.” - Charles F. Kettering

    Thursday, December 21, 2017 3:30 PM