locked
Creating simple login, compare password to hashed password in SQL database RRS feed

  • Question

  • User1028962535 posted

    Hello, I am trying to create a simple login page, the password is already hashed and stored in a SQL table. I am trying to hash the password supplied by the user and compare it to the stored password, but its not working, can anyone tell me where I am going wrong please..

    Protected Sub Button2_Click(sender As Object, e As EventArgs)

    Dim loginPass As String
    loginPass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtpassword.Text, "SHA1")


    Dim con As New SqlConnection(ConfigurationManager.ConnectionStrings("test").ConnectionString)
    con.Open()
    Dim cmd As New SqlCommand("SELECT Username FROM Users WHERE Username = @username AND Password = @password", con) 
    cmd.Parameters.AddWithValue("@username", txtusername.Text)
    cmd.Parameters.AddWithValue("@password", loginPass)

    Dim da As New SqlDataAdapter(cmd)
    Dim dt As New DataTable()
    da.Fill(dt)

    If dt.Rows.Count = 0 Then
    lblmessage.Text = "Incorrect login details"
    ElseIf dt.Rows.Count > 0 Then
    lblmessage.Text = "correct login details"
    End If
    End Sub

    Tuesday, January 21, 2020 8:38 AM

All replies

  • User1028962535 posted

    I have had a look to see what the loginPass variable is returning after it hashes the password..its almost indentical as to what is in the database

    for example    -  0xE0E632F990868B3B9C561D17AA22E6F4F352A306   this is the password in the database

                             E0E632F990868B3B9C561D17AA22E6F4F352A306   this is what loginPass is returning, it's missing the the 0x at the beginning

    any ideas where I am going wrong?

    thanks for any help

    Tuesday, January 21, 2020 8:52 AM
  • User-1780421697 posted

    PasswordHasher generates different hashes each time because it uses salting technique. This technique secure the hashed password against dictionary attacks. By the way you could use following code to manually verify the password:

    MVC:

    if(PasswordHasher.VerifyHashedPassword("hashedPassword", "password") 
        != PasswordVerificationResult.Failed)
    {
        // password is correct 
    }
    Tuesday, January 21, 2020 8:57 AM
  • User1028962535 posted

    So how can I get the password the user provides to hash properly and be the same as in the database?

    Tuesday, January 21, 2020 9:28 AM
  • User-1780421697 posted

    https://docs.microsoft.com/en-us/previous-versions/aspnet/dn468192(v%3Dvs.108)

    This is main class that hash password for you and you can use it in code above hashPass and pasword are two parameters that expected by method above

    The method that help you and return hashedPassword is:

    https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151559%28v%3dvs.108%29

    This method verify hashPassword and provided password:

    https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151578%28v%3dvs.108%29

    Tuesday, January 21, 2020 10:08 AM