i am trying to make my website more secure and not store passwords as plain text. i looked at the example 'Username and hashed password authentication on login form C# ' on this site to try and incorporate it into my code but i keep getting conversion error
"Error converting data type nvarchar to uniqueidentifier.", also confused as to what data type should password and salt be stored in in the my database table?? Also i check if the users email isn't already in database to prevent them from registering twice
with same email addr.
here are my tables
CREATE TABLE test( ID int identity(1,1) not null, Name nvarchar(50) not null, Surname nvarchar(50) not null, Email nvarchar(50) not null, Department nvarchar(max)null, Username nvarchar(50)null, Password nvarchar(50) not null, salt uniqueidentifier not null
)
IF EXISTS(SELECT ID FROM [test] WHERE [pb_Email] = @Email) BEGIN SELECT -2 -- Email exists. END ELSE BEGIN INSERT INTO [test] ([Name] ,[Surname] ,[Password] ,[Email] ,[Department] ,[Username] ,[salt]) VALUES (@Name ,@Surname ,@Password ,@Email ,@Department ,@username ,@salt) END END
and here is my code:
protected void btnRegister_Click(object sender, EventArgs e)
{
int ID = 0;
string password = Password.Text;
System.Security.Cryptography.RNGCryptoServiceProvider rng = new System.Security.Cryptography.RNGCryptoServiceProvider();
byte[] saltBytes = new byte[36];
rng.GetBytes(saltBytes);
string salt = Convert.ToBase64String(saltBytes);
byte[] passwordAndSaltBytes = System.Text.Encoding.UTF8.GetBytes(password + salt);
byte[] hashBytes = new System.Security.Cryptography.SHA256Managed().ComputeHash(passwordAndSaltBytes);
string hashString = Convert.ToBase64String(hashBytes);
SqlConnection con = new SqlConnection(strConnString);
con.Open();
SqlCommand cmd = new SqlCommand("Reg", con);
cmd.CommandType = System.Data.CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@Name", Name.Text);
cmd.Parameters.AddWithValue("@Surname", Surname.Text);
cmd.Parameters.AddWithValue("@Email", txtEmail.Text);
cmd.Parameters.AddWithValue("@Department", DropDwnDept.Text);
cmd.Parameters.AddWithValue("@username", user.Text);
cmd.Parameters.AddWithValue("@Password", password);
cmd.Parameters.AddWithValue("@salt", salt);
cmd.ExecuteNonQuery();
con.Close();
cmd.Connection = con;
con.Open();
ID = Convert.ToInt32(cmd.ExecuteScalar());
try
{
if (ID == -2)
{
ClientScript.RegisterStartupScript(GetType(), "alert", "alert('Supplied email address has already been used.');", true);
txtEmail.Text = "";
}
else
{
ClientScript.RegisterStartupScript(GetType(), "alert", "alert('Registration successful.');", true);
Response.Redirect("~/login.aspx");
}
con.Close();
}
catch (Exception) { }
}
}
You could do worse than borrow the source code for the HashPassword and VerfyHashPassword methos from the Crypto helper mentioned in the above article.
None
0 Points
11 Posts
how to hash & salt password in Register and Login
May 14, 2019 02:47 PM|zenani|LINK
i am trying to make my website more secure and not store passwords as plain text. i looked at the example 'Username and hashed password authentication on login form C# ' on this site to try and incorporate it into my code but i keep getting conversion error "Error converting data type nvarchar to uniqueidentifier.", also confused as to what data type should password and salt be stored in in the my database table?? Also i check if the users email isn't already in database to prevent them from registering twice with same email addr.
here are my tables
CREATE TABLE test(
ID int identity(1,1) not null,Name nvarchar(50) not null,Surname nvarchar(50) not null,Email nvarchar(50) not null,Department nvarchar(max)null,Username nvarchar(50)null,Password nvarchar(50) not null,salt uniqueidentifier not null)
my stored procedure:
create PROCEDURE Reg@Name nvarchar(30),@Surname nvarchar(30),@Email nvarchar(50),@Department nvarchar(30),@username nvarchar(30),@Password nvarchar(50),@salt uniqueidentifierASBEGINSET NOCOUNT ON;IF EXISTS(SELECT ID FROM [test] WHERE [pb_Email] = @Email)BEGINSELECT -2 -- Email exists.ENDELSEBEGININSERT INTO [test]([Name],[Surname],[Password],[Email],[Department],[Username],[salt])VALUES(@Name,@Surname,@Password,@Email,@Department,@username,@salt)ENDENDand here is my code:
protected void btnRegister_Click(object sender, EventArgs e) { int ID = 0; string password = Password.Text; System.Security.Cryptography.RNGCryptoServiceProvider rng = new System.Security.Cryptography.RNGCryptoServiceProvider(); byte[] saltBytes = new byte[36]; rng.GetBytes(saltBytes); string salt = Convert.ToBase64String(saltBytes); byte[] passwordAndSaltBytes = System.Text.Encoding.UTF8.GetBytes(password + salt); byte[] hashBytes = new System.Security.Cryptography.SHA256Managed().ComputeHash(passwordAndSaltBytes); string hashString = Convert.ToBase64String(hashBytes); SqlConnection con = new SqlConnection(strConnString); con.Open(); SqlCommand cmd = new SqlCommand("Reg", con); cmd.CommandType = System.Data.CommandType.StoredProcedure; cmd.Parameters.AddWithValue("@Name", Name.Text); cmd.Parameters.AddWithValue("@Surname", Surname.Text); cmd.Parameters.AddWithValue("@Email", txtEmail.Text); cmd.Parameters.AddWithValue("@Department", DropDwnDept.Text); cmd.Parameters.AddWithValue("@username", user.Text); cmd.Parameters.AddWithValue("@Password", password); cmd.Parameters.AddWithValue("@salt", salt); cmd.ExecuteNonQuery(); con.Close(); cmd.Connection = con; con.Open(); ID = Convert.ToInt32(cmd.ExecuteScalar()); try { if (ID == -2) { ClientScript.RegisterStartupScript(GetType(), "alert", "alert('Supplied email address has already been used.');", true); txtEmail.Text = ""; } else { ClientScript.RegisterStartupScript(GetType(), "alert", "alert('Registration successful.');", true); Response.Redirect("~/login.aspx"); } con.Close(); } catch (Exception) { } } }All-Star
190373 Points
27640 Posts
Moderator
Re: how to hash & salt password in Register and Login
May 14, 2019 02:59 PM|Mikesdotnetting|LINK
Usually, the hashed password is Base64-encoded and stored as a simple string.
I would recommend using methods written by exports rather than trying to roll your own, unless you know exactly what you are doing. The standard approach from MS is to generate a cryptographically safe salt, combine that with the password and then hash the result, Then they store the salt with the hash: https://www.mikesdotnetting.com/article/200/the-simplemembershipprovider-secure-passwords-and-the-crypto-helper
You could do worse than borrow the source code for the HashPassword and VerfyHashPassword methos from the Crypto helper mentioned in the above article.
All-Star
45840 Points
16681 Posts
Re: how to hash & salt password in Register and Login
May 14, 2019 03:02 PM|PatriceSc|LINK
Hi,
Your salt is a base64 string and you try to save that to a unique identifier (guid).
ASP.NET does all this and more about of the box. Try perhaps https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity