Reputation: 127
How to salt and hash a password
The code below allows a user to enter user name and password to log in to enter marks of students. SQL data reader verifies the user credentials from the database before authentication takes place. I would be grateful if someone could modify the code by salting and hashing the password.
Dim frm As New MarksEntryFrm
Dim flag As Boolean
flag = False
If cboForm.Text = "" Or cboAcadYear.Text = "" Or cboSubjCode.Text = "" Or txtUserName.Text = "" Or txtPassword.Text = "" Then
MessageBox.Show("Please any of the fields cannot be left blank", "Blank fields", MessageBoxButtons.OK, MessageBoxIcon.Error)
Else
cmd = New SqlCommand("Select a.Form,a.AcademicYear,b.SubjectID,b.UserID,b.Password,c.Term from StudentDetails.Programmes a, StudentDetails.Subjects b,RegistrationDetails.Registration c where b.SubjectID='" & cboSubjCode.SelectedItem & "' and b.UserID='" & txtUserName.Text & "' and b.Password='" & txtPassword.Text & "' collate Latin1_General_CS_AS", cn)
cmd.Parameters.AddWithValue("@UserID", txtUserName.Text) 'protects the database from SQL Injection
cmd.Parameters.AddWithValue("@Password", txtPassword.Text) 'protects the database from SQL Injection
dr1 = cmd.ExecuteReader
ctr = ctr + 1
If dr1.Read Then
frm.Show()
ctr = 0
Hide()
ElseIf ctr < 3 Then
MessageBox.Show("Incorrect Subject Code,User Name or Password. Please try again.", "Wrong data entered", MessageBoxButtons.OK, MessageBoxIcon.Asterisk)
Else
MsgBox("Unathorized access. Aborting...")
Close()
End If
dr1.Close()
End If
End Sub
Upvotes: 1
Views: 3447
Answers (3)
Reputation: 15076
In the .NET membership providers you will get hashing and seeding given by the .NET library which should be implemented correctly. This IMHO is much to prefer for rolling your own solution. There is an introduction to membership here
IF you prefer to make your implementation the seeding and hashing part is not overtly complex. The seeding could be as simple as adding a random string to the original password prior to hashing it. You then store the hash and the seed in the database. When the user provides the password you then simply readd the seed and compare the hashes. Note that when you make random strings for cryptographic purposes you should not rely on Random, but rather go for some cryptographically secure random generator. The System.Security.Cryptography also contains implementations of many suitable hashing algorithms (sha1, sha256 or similar).
Again: In my opinion you should go for a solution using the SqlMembershipProvider to avoid reimplementing security critical stuff.
Upvotes: 0
Reputation: 166
P.S. Akaglo, a better way to check if any fields were left empty is to use the String.IsNullOrEmpty() method. Your method will not detect any null or space characters.
Upvotes: 1
Reputation: 8312
Use a parametrized query
Dim cmdText As String = _
"INSERT INTO Customer(UserName, [Password]) VALUES (@UserName,@Password)"
Dim cmd As SqlCommand = New SqlCommand(cmdText, con)
With cmd.Parameters
.Add(New SqlParameter("@UserName", txtUserName.Text))
.Add(New SqlParameter("@Password", txtPassword.Text))
End With
Upvotes: 1
Related Questions
- How to retrieve hashed password from sql database vb.net
- Correctly Salting a Hash in .NET
- How to store password as hashes and then authenticate the user without even knowing the password in plaintext?
- Hashing Password in ASP.NET and Resolving it In SQL Procedure
- how to compare password with salted hashed password
- salting and hashing passwords before exporting to database
- How to hash a password and save into a database table?
- Salting and Hashing Passwords using Linq To SQL
- Hashing and salting a password field
- Password salting in SQL Server