front-line authentication with Web Services

Question

i seemed Confused what i need to do.it a normal login scenario.i storing hashed value of password in database.[Please dont consider What Hashing Function i Using ].At The Login Time user inputs his plain Text Password.Now what i needed to Do is hash this password ,pass it web service Then My DataBase Need to Compare Two Hashed Values.Now what i dont know is.

1. When i hash the Password at login time with salt.Is it still the same value i get or Something else

2. Can My dataBase(Sql server 2008) Able to Compare Two Hashed Values if Not then what i need to do.There is no need of Get the Password From Database.

3. Passing Hashed Password over Web services needs Extra Consideration of Security?

i need to Handle Password Recovery also.and can i use encryption/decryption algorithms here.
Please Suggest What i need to Do .

Answer 1

To increase security, it would be better to use a random salt.

The way i use to protect password while storing in the SQL server is that:

Create salt from the password, then generate hash with concatenation of user name and password..

It will make the salt dependent on password and user name. If you are recovering your password then if credentials are correct then you are able to reset the password.

can i use encryption/decryption algorithms ??

As per your encryption method, Create your own algorithm to encrypt and decrypt the password with salt using the .net encryption libraries.

Answer 2

You have to save salt to database too. in Authentication, Get salt, hashed inputted password with salt, compare with the hased value in database. All of these can reside in C# code.

You can't get original password from hashed value. You can generate a random password and force customer to change password in next login.

So I think hashed value is safe to transfer online. For a site Adminstrator, even he has access to database, he still doesn't know the password of customer.