Hey

I need some help here i have created a easy login with registration that save the password in plain text but now i want it to be hash and salted but i do not now how i can do this.

This is the code for login:

 try
            { 
            SqlConnection con = new SqlConnection();
            con.ConnectionString = "Data Source=(loc);Initial Catalog=InformationDb;Integrated Security=True";
                con.Open();

            string txtUs = TxtUser.Text; 
            string txtPass = TxtPass.Text;

            string query = "SELECT * FROM User WHERE Username=@user and Password =@passW";
            SqlCommand cmd = new SqlCommand(query,con);
            cmd.Parameters.Add(new SqlParameter("@user",txtUser));
            cmd.Parameters.Add(new SqlParameter("@passW",txtPass));

            SqlDataReader dr = cmd.ExecuteReader();

            int count = 0;
            while (dr.Read())
            {
                count = ++;
            }
            if (count == 1)
            {
                this.Hide();
                var f2 = new F2();
                F2.Closed += (s, args) => this.Close();
                F2.Show();

and this is for regg:

SqlConnection con = new SqlConnection();
            con.ConnectionString = "Data Source=(loc);Initial Catalog=InformationDb;Integrated Security=True";
            con.Open();
            SqlCommand cmd = new SqlCommand("insert into [User] (Username,Password,Firstname,Lastname,Email) VALUES(@user,@pass,@fname,@lname,@emai)", con);
            cmd.Parameters.AddWithValue("@user", TxtUserN.Text);
            cmd.Parameters.AddWithValue("@pass", txtpass.Text);
            cmd.Parameters.AddWithValue("@fname", txtFName.Text);
            cmd.Parameters.AddWithValue("@lname", txtLName.Text);
            cmd.Parameters.AddWithValue("@emai", TxtEmail.Text);
            cmd.ExecuteNonQuery();
            MessageBox.Show("You are registered");

First of all a hash is way to store a value in an almost irreversable state. To use them values are stored as hash values (such as a database). Then when a user tries to log in, you take for instance their password, hash it, and compare it to what's on record. Pretty simple right?

A very easy Hash to use is MD5. Here's a small snippet to use it

MD5CryptoServiceProvider MD5Hasher = new MD5CryptoServiceProvider();
UTF8Encoding encoder = new UTF8Encoding();
Byte [] HashedBytes = MD5Hasher.ComputeHash(encoder.GetBytes(PlainText + "MySALT"));

HashValue = Convert.ToBase64String(HashedBytes);

Do note that MD5 is old, and while fast and still used, it's not the most secure (MD5 can produce a collision, where multiple values can produce the same Hash value ... however it's not super common)

So when you create a user's account, store their password as a hash value (you can run it through like the code I posted above), presumable in your database, as a string.

Then when the user comes back to login, take the password they entered, run it through the same piece of code, and compare to what's in your database. Does the hashed password match the username? If so you have the correct user, if not, then they didn't type the correct password.

Sorry if this is a little rushed, I have to get back to work. But feel free to ask questions (I do know my share about hashing)

Edited 1 Year Ago by JOSheaIV

Unix/Linux passwords are hashed and "salted" with a unique value that will be placed as the first 2 characters of the password in the password file. So, when you want to verify the password, you use the salt value and use that to hash the input value to create a copy of the hash that the user has input. If it matches, then the password is good.

The standard Unix/Linux implementation uses DES-56 to create the passwords. That is not so secure these days, so other login schemes such as LDAP use more secure algorithms.

FWIW, I have implemented these algorithms on a number of occasions for software used in major enterprise systems.

Edited 1 Year Ago by rubberman

This article has been dead for over six months. Start a new discussion instead.