I have some hash and salt code I intend to try out (not used it before) but I am not sure of a couple of things. I have a new
user aspx Register form page and a Log-in form. Do I use the hash and salt code on both the Register.aspx.vb page and Log-in aspx.vb page and, in the MS Access database I am using, whereas plain text would be in my three database columns as: email: 'j.brown@whatever.com', the username as 'jbrown', and the password as 'mypassword' would the salt and hash code insert instead something like the following: email: 'j.brown@whatever.com', username as 'jbrown', and the password as: roKMJYrGEKrp8z5Mah7J2T0cHcMAkZmxT6hplA3i1zTjidv0h.

Is that how it works?

Thank you.

Yes, i would think if you are interested in securing your passwords in the database table, you wouldnt want to store the plain text equivalent. What would the point be using hash and salt then?

You would store the hash/salt value in your db. When you authenticate a user, you apply the hash/salt, then query your record in the table, then simply compare the results. if they are the same, the user provided the correct password. If they are different, the password that the user entered was not the same password that is stored in the record.

Thanks for that, Jorge. Isn't the hash/salt value stored in the database table when the user first registers - that is, with the hash/salt code applied to Reister.aspx.vb, and then later authenticated using the login form (Login.aspx)?

Thanks again.

Isn't the hash/salt value stored in the database table when the user first registers

Yes. When the user registers, you generate the salted hash and store it in the database. When the user logs in, you do more or less the same thing with entered credentials and compare with the stored hash to authenticate. At no point should a password be directly stored in the database, either plain text or merely encrypted.

That's great, thanks for letting me know. I will try the code by adding it to both the Register.aspx.vb and Login.aspx.vb files.