Is this how hashed password stored in SQL Server should look like? This is function I use to hash password (I found it in some tutorial)
public string EncryptPassword(string password)
{
//we use codepage 1252 because that is what sql server uses
byte[] pwdBytes = Encoding.GetEncoding(1252).GetBytes(password);
byte[] hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(pwdBytes);
return Encoding.GetEncoding(1252).GetString(hashBytes);
}
EDIT: I tried to use sha-1 and now strings seem to look like as they are suppose to:
public string EncryptPassword(string password)
{
return FormsAuthentication.HashPasswordForStoringInConfigFile(password, "sha1");
}
// example output: 39A43BDB7827112409EFED3473F804E9E01DB4A8
Result from the image above looks like broken string, but this sha-1 looks normal....
I am trying to insert a string and random number into the database as hash sha1 then loggin in against it. the problem is if I use hash it wont login but if i dont use hash the login works fine... Code below.
insert hash into db Dim user As New Label user.Visible = False user.Text = (myDataReader2.Item("username")) MyConnection2.Close() Dim MyConnection3 As New Data.SqlClient.SqlConnection("Data Source=xxx") Dim mycommand3 As New Data.SqlClient.SqlCommand("Update Register SET [Password] = @password WHERE [username] = '" & user.Text & "' AND [email] = '" & email.Text & "'", MyConnection3) Dim pass As String Dim rnd As Integer, randomNum As New Random rnd = randomNum.Next(1000, 10000) pass = "Pass" & rnd mycommand3.Parameters.AddWithValue("@password", FormsAuthentication.HashPasswordForStoringInConfigFile(pass, "SHA1")) MyConnection3.Open() mycommand3.ExecuteNonQuery() login page Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs) ' Fires upon attempting to authenticate the use If Not (HttpContext.Current.User Is Nothing) Then If HttpContext.Current.User.Identity.IsAuthenticated Then If TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then Dim fi As FormsIdentity = CType(HttpContext.Current.User.Identity, FormsIdentity) Dim fat As FormsAuthenticationTicket = fi.Ticket Dim astrRoles As String() = fat.UserData.Split("|"c) HttpContext.Current.User = New GenericPrincipal(fi, astrRoles) End If End If End If End Sub Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Dim myConnection As New SqlClient.SqlConnection Dim myCommand As New SqlClient.SqlCommand Dim intUserCount As Integer Dim strSQL As String myConnection = New SqlClient.SqlConnection("Data Source=jrome2.db.4961680.hostedresource.com; Initial Catalog=jrome2; User ID=jrome2; Password=Richard050283;") strSQL = "SELECT COUNT(*) FROM Register " _ & "WHERE UserName='" & Replace(txtusername.Text, "'", "''") & "' " _ & "AND Password='" & Replace(txtpassword.Text, "'", "''") & "';" myCommand = New SqlClient.SqlCommand(strSQL, myConnection) myConnection.Open() intUserCount = myCommand.ExecuteScalar() myConnection.Close() 'Response.Write(intUserCount) If intUserCount > 0 Then FormsAuthentication.Initialize() Dim strRole As String = AssignRoles(txtusername.Text) 'The AddMinutes determines how long the user will be logged in after leaving 'the site if he doesn't log off. Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _ txtusername.Text, DateTime.Now, _ DateTime.Now.AddMinutes(30), False, strRole, _ FormsAuthentication.FormsCookiePath) Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, _ FormsAuthentication.Encrypt(fat))) Response.Redirect(FormsAuthentication.GetRedirectUrl(txtusername.Text, False)) Else login.Text = "Incorrect Log In Information" End If End Sub Private Function ValidateUser(ByVal strUsername As String, ByVal strPassword As String) _ As Boolean 'Return true if the username and password is valid, false if it isn't Return CBool(strUsername = " & Replace(txtusername.Text, " AndAlso strPassword = " & Replace(txtpassword.Text, ") End Function Private Function AssignRoles(ByVal strUsername As String) As String Dim myConnection As New SqlClient.SqlConnection Dim myCommand As New SqlClient.SqlCommand Dim intUserCount As Integer Dim strSQL As String myConnection = New SqlClient.SqlConnection("Data Source=jrome2.db.4961680.hostedresource.com; Initial Catalog=jrome2; User ID=jrome2; Password=Richard050283;") strSQL = "SELECT COUNT(*) FROM Register " _ & "WHERE UserName='" & Replace(txtusername.Text, "'", "''") & "' " _ & "AND Password='" & Replace(txtpassword.Text, "'", "''") & "';" myCommand = New SqlClient.SqlCommand(strSQL, myConnection) myConnection.Open() intUserCount = myCommand.ExecuteScalar() myConnection.Close() 'Response.Write(intUserCount) If intUserCount > 0 Then Return "client" Else Return String.Empty End If End Function Protected Sub LinkButton1_Click(ByVal sender As Object, ByVal e As System.EventArgs) txtusername.Text = String.Empty txtpassword.Text = String.Empty End Sub
i m trying to change my password. the password in database is in hash formatting. the class FormsAuthentication. is using for hash conversion. the password is indicating the same in if condition. but after if applying it suddenly go on else part , even the value on if condition is same.
I'm using the code below to authenticate a user in Active Directory, but the password is sending in clear text. How can I hash my password and then send it to Active Directory?
DirectoryEntry entry = new DirectoryEntry(path, username, pwd); try { //Bind to the native AdsObject to force authentication. object obj = entry.NativeObject; DirectorySearcher search = new DirectorySearcher(entry); search.Filter = "(SAMAccountName=" + username + ")"; search.PropertiesToLoad.Add("cn"); SearchResult result = search.FindOne(); if (null == result) { return false; } //Update the new path to the user in the directory. _path = result.Path; _filterAttribute = (string)result.Properties["cn"][0]; } catch (Exception ex) { throw new Exception("Error authenticating user. " + ex.Message); } return true;
I'm attempting to create a pure t-sql representation of the default SHA-1 password hashing in the ASP.Net Membership system. Ideally, what I would get would be this:
Note: that's bogus base-64 text there. I've got base64_encode and decode functions that round-trip correctly. Here's my attempt, which doesn't work: SELECT UserName, Password, dbo.base64_encode(HASHBYTES('SHA1', dbo.base64_decode(PasswordSalt) + 'test')) As TestPassword FROM aspnet_Users U JOIN aspnet_membership M ON U.UserID = M.UserID
I've tried a number of variations on the theme, to no avail. I need to do this in pure T-Sql; involving a console app or something like that will double the work. So if anyone can supply what precisely the syntax should be to duplicate that password from the ASP.Net membership stuff
Hopefully someone knows a way to fix this issue, but here is my problem. I need to be able to recreate a md5 hash that will be the equivalent of the hash that php would generate.
The encoding I have tried is listed below. None of these will produce the same values.
I have a service (WCF) with which my ASP.NET page will communicate. The WCF service has hashed passwords in its data store (a file actually). The WCF service requires the username and the hashed password on every call. Nowm the problem I'm encountering is that if I authenticate the user with forms authentication in ASP.NET, a cookie will be saved in the user's computer after the user is authenticated but I would like to save the username and hashed password too so that the user may able to use the WCF service. Where should this information should be saved so that it is safe and secure? Should I use session variables? If I choose that option that, then should I switch from forms-based authentication and manually authenticate using session variables or use both forms-based autentication for web page access and store the username and hashed password in a session variable? What are the pros and cons of each?
I'm about to setup a new client with username and passwords that will be managed in the database.
I am not using the Membership provider - and I do not want to.
At any rate - other times I've done this I've stored the PW in clear text in a user table. I've seen commercial system that can send you your "existing" password so they must do basically the same thing.
I'm thinking for this setup I want to encrypt the password - probably a one-way encryption. Of course that means I can never give someone their password if they forget - I'll simply have to reset it to something unique and let them change it when they login.
What encryption methods are easy and quick to use?
Is there one I can do in Javascript so that I can encrypt in the browser and never have to actually POST a clear text password either??
1) login and send username,password, machineID and a rand string to the server 2) check the machineID whether it exists in the table.
Problem is the checking machine procedure:
select MachineID from computer where MD5MachineID=@MD5MachineID2 and SUBSTRING((master.dbo.fn_varbintohexstr(HASHBYTES('MD5',MachineID+@RString))),3,32)=@MIDST
RString,MD5MachineID2,MIDST are submited by Login MD5MachineID is stored in table.
I need the check if MD5(MachineID+RString) is match the MIDST (submited).
Now the situation is :
if RString is a fixed string(not a variable).like 'abcdefg', the MD5 is correct.
if I use the RString (submited value as a variable), the MD5 is incorrect.
I am writing a simple plugin for IE. I need to store a password and username setting for the user who uses the plugin. I know that I can store the username/password in the registry, I can manually encrypt it using the encription classes with .NET, or I can store it in a config file and encrypt the config file. I was wondering if there is a specific pattern/mechanism that I should use to store password and username.
for maintain security, i encrypted my password and store in database like following
Dim PWD As String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(), "SHA1").Trim()
but problem is suppose user forget his password and need to know then how can i decrypted the password and send to the user?is there any other suitable way to handle password?
Even with https enabled, you can write a password to the event log in code-behind. Any way to keep that password encrypted in code while you're checking it against a data store?
(using Login control)
(couldn't add comment to Andrew's answer, so I'm putting it here) NTLM uses the username/password of the machine the user is logged into right? For this, I was thinking using ActiveDirectory on the server as the data store. It would have a diferrent un/pw than what the user is currently signed in to their machine as.
I have a custom membership user class and custom MembershipProvider working against database. Due to security reasons the user passwords are stored in the database as hashed values. So my procedure
public override bool ValidateUser(string username, string password) is { //select hashed password from db return (EncodePassword(password) == dbpassword) } [code]....
Actually I have a gridview with many rows and I want to insert the all rows in sql server through one store procedure first row can inserted but what should we do for other rows
I need rft server control not HTML based server controls to display and store text as well as images, from which i can get rtf text and can save it as it is in DB.
I have a large dataset (35,000+ rows) that I need to export to excel and then let the user download. I have done this the conventional way (with a gridview), but the data has grown, causing a OutOfMemoryException on the web server.
So I thought, would it not be better if I can export the data into excel on the sql server, and then transfer this data to the web server.
Note that this is not a one-off job. This will be ran regularly (twice a month), but the user. Hence I need something that the user can initiate.
I want to create password in single database for example when i attach My database abc.mdf or open that database then it ask me password. as like access database password..
