locked
How to validate a username and password when I have a hashed password in the database? RRS feed

  • Question

  • Really I am asking myself the best way to validate a client with a username and password when I don't use sessions and the service is configurated perCall.

    So how the instance is perCall and I don't use sessions, each time that a client call a method, the service has to validate the client. I think that this is my problem. I have a hashed password in the database, so to validate the client I have to get the salt and the hashed password from the database, add the salt to the password that I  get from the client, hash and compare the result with the hashed password that I have in the database. I think that for performance, this is a very bad solution.

    I was thinking to use sessions, so in this way I have to validate the session once, if the session is validated, then I can store the session for example in a hashset, so when a method is called, I can serach the session in the hashset, if exists, I allow the execution of the method, if not, no.

    But if I am not wrong sessions are used to ensure that the packages are sent in order, but it shouldn't use for validating purposes. Id that correct?

    Another problem is that I need to use stremed, that is not compatible with reliable connections and sessions, so it is another problem.

    I would like to avoid  to use certificates, because I would like to avoid to have to create a certificate for each client.

    Thank you so much.

    Friday, December 18, 2015 6:09 PM

Answers

  • You could cache the hashed passwords so you don't have to call out to the database at each single request. You could for example use the built-in ObjectCache class to do this: https://msdn.microsoft.com/en-us/library/system.runtime.caching.memorycache%28v=vs.110%29.aspx

    ObjectCache cache = MemoryCache.Default;
    List<string> hashedPasswords = cache["ckey"] as List<string>;
        if (hashedPasswords == null)
        {
            hashedPasswords = ... ; //fetch from DB
            cache.Set("ckey", hashedPasswords);
        }

    This should improve the performance.

    Hope that helps.

    Please remember to close your threads by marking helpful posts as answer and then start a new thread if you have a new question. Please don't ask several questions in the same thread.

    • Proposed as answer by Grady_Dong Friday, December 25, 2015 3:15 AM
    • Marked as answer by Grady_Dong Monday, December 28, 2015 1:54 AM
    Saturday, December 19, 2015 10:29 AM

All replies

  • How do you compare the username and password in database?

    You can do this way.

       1. Get the username and password from the user request.
        2. Run SQL query by username only and get the all userinfo including password.
       3. Now apply your hash(salt and hash your algo) on Request password from user and compare it with database hash password in your application (Password comparison at your application side not in database)
       4. If it match then success, if it fails then error.

    Note: Add the indexing on Username column. You'll get the best performance.

    If you do password compare in database side and apply hash algo on all passwords then you'll face performance.

    Friday, December 18, 2015 7:56 PM
  • The process that you describe is how i do it. my doubt is:

    The validation, when i hash the password and salt, it takes time, about one second, because for security purposes, avoid brute force atacks, do it many iterations. so do it in each method call, i think it is very expensive.

    The other question is that this requiered to do an extra query to the database in each method call too get the hashed password, so i think that is another performance problem.

    So from the point of view of performance, which is the best way to authenticate? In this case if it requiered session or another thing, i can study it, i am opened to alternatives.

    Thanks.

    Friday, December 18, 2015 9:57 PM
  • You could cache the hashed passwords so you don't have to call out to the database at each single request. You could for example use the built-in ObjectCache class to do this: https://msdn.microsoft.com/en-us/library/system.runtime.caching.memorycache%28v=vs.110%29.aspx

    ObjectCache cache = MemoryCache.Default;
    List<string> hashedPasswords = cache["ckey"] as List<string>;
        if (hashedPasswords == null)
        {
            hashedPasswords = ... ; //fetch from DB
            cache.Set("ckey", hashedPasswords);
        }

    This should improve the performance.

    Hope that helps.

    Please remember to close your threads by marking helpful posts as answer and then start a new thread if you have a new question. Please don't ask several questions in the same thread.

    • Proposed as answer by Grady_Dong Friday, December 25, 2015 3:15 AM
    • Marked as answer by Grady_Dong Monday, December 28, 2015 1:54 AM
    Saturday, December 19, 2015 10:29 AM