Reputation: 59
how to compare password with salted hashed password
i have a mysql table user with two field username varchar() and password salted hashed md5 28 bytes / "128 bites" - asp.net web form with textbox 1 "user" w textbox2 "password"
how can i compare the password entered by the client in textbox2 is the same in user table for validation
this is my simple authenticate function i need to change code to compare password with the hashed 1
Public Function Authenticate(ByVal id As String, ByVal pas As String) As Integer
Dim strConnectionString As String = ("Data Source=localhost;port=3306;Database=transfer;User ID=root;Password=password;Convert Zero Datetime=True")
Dim instsqlconnection As MySqlConnection = New MySqlConnection(strConnectionString)
instsqlconnection.Open()
Dim daAuthors As New MySqlDataAdapter("Select * From login_detail", instsqlconnection)
dsPubs = New DataSet("Employee")
daAuthors.Fill(dsPubs, "login")
instsqlconnection.Close()
Dim drResult As DataRow() = dsPubs.Tables("login").Select(" login_id = '" + id.ToString() + "'")
If (drResult.Length > 0) Then
If drResult(0)("password").ToString().Trim() = pas Then
Return 1
Else
Return 2
End If
Else
Return 0
End If
End Function
Upvotes: 0
Views: 1766
Answers (2)
Reputation: 4675
MySQL has an md5 function. You can do the following presuming that the field for salt is called salt:
select 1 from login_detail where login_id = @yourloginId and Password = MD5(salt + @password);
Important
MD5 is not a secure method for storing passwords. Even if salted, MD5 is known to be insecure and can be quickly broken. You should use a secure algorithm such as BCrypt, SCrypt or PBKDF2. These algorithms are ideal for password storage since they use salt and are slow, making rainbow table generation much more difficult.
You can upgrade your existing scheme by performing one of the above algorithms over the hash you already have.
BCrypt(MD5(salt+password)) when the user logs in you simply select the password, you then store a password version in the table and set it to 1.
SELECT * FROM login_detail WHERE login_id = @username
hashed = drResult(0)("password")
version = drResult(0)("version")
salt = drResult(0)("salt")
if(version = 1) then
password = MD5(salt + password)
end if
if(Bcrypt.Verify(password,hashed))
if(version = 1) then
Update password = BCrypt(password), version = 2 WHERE login_id = @username
end if
return true
End If
return false
Upvotes: 1
Reputation: 6590
First you have to convert the password to md5 which is enter by user. Once you convert the password from string to md5 string
You can simple call this query
Select 1 from login_detail ld where ld.login_id = @yourloginId and ld.Password = @md5Password;
Upvotes: 1
Related Questions
- How to compare the login credentials given by the user to the salt and hash stored in your database to permit user login
- How to compare this Salted password when user logs in?
- How to salt and compare password in ASP.NET MVC
- Password hashing - Compare 2 strings
- How to compare the hash-password with ordinary one?
- Compare Entered Password with Hashed password, Validation Error C# MVC
- How to salt and hash a password
- Encryption Comparing Hashed&Salted Password upon Login
- Comparing password with random salt
- comparing salt and hashed passwords during login doesn't seem work right