I saved password into the database with "binary" data type from GetByte method. How can I to compare

  • Thread starter Thread starter Benny Ng
  • Start date Start date
B

Benny Ng

Dear all,

The following is the source. The password is encrypted and saved into the
Binary in SQL2K.
Now I want to create a new page to compare the existed password and the
password that in the database.
But I don't know how to used source code to solve it. Can you help me?
Urgently!

<<<<<<Save Method<<<<<<

HashProviderFactory hashProviderFactory = new HashProviderFactory();
this.hashProvider = hashProviderFactory.CreateHashProvider("SHA1Managed");
byte[] password =
hashProvider.CreateHash(Encoding.Unicode.GetBytes(TxtPassword.Text));

DBCommandWrapper DBCW_Edit =
db.GetStoredProcCommandWrapper(CPEditSalesmanPassword);
DBCW_Edit.AddInParameter("@Id", DbType.Double, objSalesMan.Id);
DBCW_Edit.AddInParameter("@Password", DbType.Binary, password);
db.ExecuteNonQuery(DBCW_Edit);


<<<<<<Get Method from SQL2K<<<<<<

HashProviderFactory hashProviderFactory = new HashProviderFactory();
this.hashProvider = hashProviderFactory.CreateHashProvider("SHA1Managed");
byte[] password =
hashProvider.CreateHash(Encoding.Unicode.GetBytes(TxtPassword.Text));

DBCommandWrapper DBCW_Edit =
db.GetStoredProcCommandWrapper(CPEditSalesmanPassword);
DBCW_Edit.AddInParameter("@Id", DbType.Double, objSalesMan.Id);
DBCW_Edit.AddInParameter("@Password", DbType.Binary, password);
db.ExecuteNonQuery(DBCW_Edit);


Benny Ng
 
Benny Ng said:
The following is the source. The password is encrypted and saved into the
Binary in SQL2K.
Now I want to create a new page to compare the existed password and the
password that in the database.
But I don't know how to used source code to solve it. Can you help me?

Not seeing the StoredProcedure, it is unclear exactly what is being done
here other than passing the username and hashed password to the database. In
most cases, a one way hash is sufficient for passwords. You do not need to
retrieve a password, only compare the saved hash against the hashed version
of the user entered value. If the values match, then you have authenticated
their credentials. If not, then it is not valid. It is more secure to give
the user the ability to change their password, or possibly reset it, but
never to retrieve it.

Jim Wooley
 
Once you have saved the password, every time a user logs in with that
password, encrypt the typed value using the same encryption as with the
database password and then compare.
 
Hi,All,

I found the reason about this. Because this application is based on
Enterprise Library. So When I set the option about the encryption. I
selected the "Salt Enabled". And as we know the salt is randomly generated
by the system (or by us) . So the method that I used to compare the equal of
both password wouldn't be runs properly. But at last I used the intrinsic
method of Identity Authentication (likes the logon page) to compare the
coming password and the existed one. It's successfully.

So, In here I'm appreciated for everyone's concentrated and helps.

Thank you very much.

Benny Ng
MSN: (e-mail address removed)


Christopher Reed said:
Once you have saved the password, every time a user logs in with that
password, encrypt the typed value using the same encryption as with the
database password and then compare.
--
Christopher A. Reed
"The oxen are slow, but the earth is patient."

Benny Ng said:
Dear all,

The following is the source. The password is encrypted and saved into the
Binary in SQL2K.
Now I want to create a new page to compare the existed password and the
password that in the database.
But I don't know how to used source code to solve it. Can you help me?
Urgently!

<<<<<<Save Method<<<<<<

HashProviderFactory hashProviderFactory = new HashProviderFactory();
this.hashProvider =
hashProviderFactory.CreateHashProvider("SHA1Managed");
byte[] password =
hashProvider.CreateHash(Encoding.Unicode.GetBytes(TxtPassword.Text));

DBCommandWrapper DBCW_Edit =
db.GetStoredProcCommandWrapper(CPEditSalesmanPassword);
DBCW_Edit.AddInParameter("@Id", DbType.Double, objSalesMan.Id);
DBCW_Edit.AddInParameter("@Password", DbType.Binary, password);
db.ExecuteNonQuery(DBCW_Edit);


<<<<<<Get Method from SQL2K<<<<<<

HashProviderFactory hashProviderFactory = new HashProviderFactory();
this.hashProvider =
hashProviderFactory.CreateHashProvider("SHA1Managed");
byte[] password =
hashProvider.CreateHash(Encoding.Unicode.GetBytes(TxtPassword.Text));

DBCommandWrapper DBCW_Edit =
db.GetStoredProcCommandWrapper(CPEditSalesmanPassword);
DBCW_Edit.AddInParameter("@Id", DbType.Double, objSalesMan.Id);
DBCW_Edit.AddInParameter("@Password", DbType.Binary, password);
db.ExecuteNonQuery(DBCW_Edit);


Benny Ng
 
Back
Top