netdigger
Reputation: 3789
Find if correct password with hash and random salt
I have a database with users and I want to have a random salt for each user that is saved in the column Salt and a hash of their salt+password in the field password.
I can insert them like this:
INSERT INTO users([Username], [Password], [Salt])
VALUES('David', HASHBYTES('SHA1', 'randomgeneratedsalt' + 'theirpw'), 'randomgeneratedsalt')
But how do I select them?
My own try is:
select *
from users
where Username = 'David'
AND Password = HASHBYTES('SHA1', Salt + 'enteredpw')
Of course I can select the salt for the user that is trying to login, but I'd like to do it without doing so.
Upvotes: 0
Views: 862
Answers (1)
Remus Rusanu
Reputation: 294407
You select them by username, which must be unique. After you locate the user you can compare the presented password hash against the stored one. Only need be careful to display the same error whether username was not found or hash don't match (ie. prevent information disclosure that the username is valid).
Upvotes: 3
Related Questions
- How to decrypt a password from SQL server?
- How to validate Password from database when password is hashed
- How to check password in database if password was encrypted with "salt"?
- How to check match for salted and hashed password
- How to validate salted and hashed password in c#
- How can I check that password is correct if I add random salt?
- Compare Hash Password Using HASHBYTES in MS SQL
- Password hashing - Compare 2 strings
- SQL Server: How to retrieve actual value of password encrypted using HASHBYTES
- Unable to match hash and salt passwords with database values