Unable to match hash and salt passwords with database values

Question

I and working on an application where the employee will first register into the system by entering a loginID and password. The password is hashed and salted and stored in a Login table (both values are stored along with the loginID value). However, when I stept thru the code, and I login to the application (after the registration process), the hash and salt values never match.

How would I go about verifying the user's password when they login to the system?

Encryption function:

protected static void EncryptPassword(eWebEmployee oEmp)
{
    // Create Hash & Salt
    sysSecurity oSecurity = new sysSecurity();
    oEmp.EmpPasswordSalt = oSecurity.CreateSalt(5);
    oEmp.EmpPasswordHash = oSecurity.CreatePasswordHash(oEmp.EmpPasswordSalt, oEmp.EmpPassword);        
}  

Database call:

oDbConn.Open();
DbDataReader oDbDataReader = oDbCommand.ExecuteReader();
while (oDbDataReader.Read())
{
    if (!oDbDataReader.IsDBNull(0) && !oDbDataReader.IsDBNull(1))
    {
        if (oEmp.EmpPasswordSalt == oDbDataReader.GetString(1)
            && oEmp.EmpPasswordHash == oDbDataReader.GetString(0))
        {
            return true;
        }
        else
        {
            return false;
        }
    }
    else
    {
        return false;
    }
}
oDbConnection.Close();
}

Answer 1

It's a bit hard to understand the purpose of your code but normally you create a hash using a salt value and a password string. The when you login again you do exactly the same using the SAME salt value. Then compare the password hash to the one in your db.

Answer 2

The way I read your code you create a new salt each time. You should get your salt from the database, calculate a hash with the user provided password and than compare the hash to the hash stored in the database. If they are equal the user entered the correct password. Create a new salt only on registration.