MD5 Cross-platform decryption from VBA to C#

Question

I'm creating a new application in C# for my company.

Our SQL database stores passwords for users using a MD5 encryption which is created through another application we have using MS Access in VBA.

We used code from this website - http://www.di-mgt.com.au/crypto.html#MD5 for our VBA application.

I read on that site that it should be possible for me to decrypt the passwords on another platform: http://www.di-mgt.com.au/cryptoCrossPlatform.html

But I'm not sure how I can do this in C#.

I also looked into some code from CodeProject - But the decryption is pulling back a different result to what is already stored in our database. http://www.codeproject.com/Articles/38951/How-To-Hash-Data-Using-MD-and-SHA

How can I validate logins from this in my new C# application?

EDIT: This is the Hash I'm using at the moment.

   /// <summary>
    /// take any string and encrypt it using MD5 then
    /// return the encrypted data 
    /// </summary>
    /// <param name="data">input text you will enterd to encrypt it</param>
    /// <returns>return the encrypted text as hexadecimal string</returns>
    private string GetMD5HashData(string data)
    {
        //create new instance of md5
        MD5 md5 = MD5.Create();

        //convert the input text to array of bytes
        byte[] hashData = md5.ComputeHash(Encoding.Default.GetBytes(data));

        //create new instance of StringBuilder to save hashed data
        StringBuilder returnValue = new StringBuilder();

        //loop for each byte and add it to StringBuilder
        for (int i = 0; i < hashData.Length; i++)
        {
            returnValue.Append(hashData[i].ToString());
        }

        // return hexadecimal string
        return returnValue.ToString();

    }
    /// <summary>
    /// encrypt input text using MD5 and compare it with
    /// the stored encrypted text
    /// </summary>
    /// <param name="inputData">input text you will enterd to encrypt it</param>
    /// <param name="storedHashData">the encrypted text
    ///         stored on file or database ... etc</param>
    /// <returns>true or false depending on input validation</returns>
    private bool ValidateMD5HashData(string inputData, string storedHashData)
    {
        //hash input text and save it string variable
        string getHashInputData = GetMD5HashData(inputData);

        if (string.Compare(getHashInputData, storedHashData) == 0)
        {
            return true;
        }
        else
        {
            return false;
        }
    }

Answer 1

You MD5 approach to passwords is not secure, as the method is subject to rainbow table attacks.

To illustrate the problem, try searching your encoded password that you mention in the comments 25D55AD283AA400AF464C76D713C07AD in your favorite web browser, and you will soon see that it's listed as 12345678

You need to step up your security and introduce some secure password hashing

Answer 2

Our SQL database stores passwords for users using a MD5 encryption which is created through another application we have using MS Access in VBA.

No you don't. MD5 isn't encryption, it's a hash function. It's also not well-suited for passwords. You may want to hit the brakes and read up on how to safely store passwords in C#.

Instead of MD5, use Martin Steel's fork of Bcrypt.NET

// Calculating a hash
string hash = BCrypt.HashPassword(usersPassword, BCrypt.GenerateSalt());

// Validating a hash
if (BCrypt.Verify(usersPassword, hash)) {
    // Login successful
}

Simple, easy to reason about, and secure.

Answer 3

You hash the password the user typed in and compare it with the one that's already in the database. Not the other way around.