0

Hi i am using the MD5 encyrption in my asp.net website where it stores the passwords to the database using the MD5 encryption.so when i want to login using the credentials entered during the registration of the user i am having trouble comparing the existing password from the database to the current one which i entered to login.As the stored password is in the ecrypted form i am confused how to compare the encrypted format to the text format ?

I am using the Sqlserver as my database.

Improve this question

4 Answers 4

Reset to default
4

In addition to what @Jason said... I like salting the password.

public static string CreateSalt(int byteSize)
    {
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        byte[] buff = new byte[byteSize];
        rng.GetBytes(buff);
        return Convert.ToBase64String(buff);
    }

    public static string CreatePasswordHash(string pwd, string salt)
    {
        string saltAndPwd = String.Concat(pwd, salt);
        string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "sha1");
        return hashedPwd;
    }
  • when the user is intially created, here is the process
  • Create the salt => CreateSalt(16)
  • Create the hash with the password and salt => CreatePasswordHash(passwordEntered, salt)
  • Store the hashed password and salt
  • next time the user logs in, validate the stored credentials against what they have entered into the login form => string enteredPasswordHash = CreatePasswordHash(enteredPassword, saltFromDatabase)
  • the compare against what is in the database => if(passwordHashInDatabase != enteredPasswordHash) => wrong login credentials

Hope this helps someone...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I love that you gave the use of a salt, but the OP did not say if they are hashing with a salt. I would bet they are not based on the vagueness of the question. But +1 for recommending a salted hash.
2

MD5 is a one way hash, so the password in the database cannot be converted back to plain text. Instead you have to convert the plain text password (the one entered in the login form) to cypher text using the MD5 hash algorithm.

Improve this answer

1 Comment

Yeah i am in the same process.But i am confused how to compare the bytes(converted text to MD5 format).
1

To compare the MD5 hashes you would need to query the database based on the User Name enter in the login and return the known MD5 hash and the salt (if there is one). Then hash the given password with the known salt. You can then compare the two hashes for a match.

Improve this answer

Comments

1

If you are definitely storing the password in an encrypted state, then you only need to encrypt their plaintext password (using the same key) and compare it to the database value. Apples to apples. When encrypted using the same key and algorithm, it will always encrypt and decrypt to the same value.

If this doesn't appear to be working correctly, I would guess that you are not using the same key that you used when you first stored the value in the database. Double-check and make sure that the key you encrypt with is exactly the same as the key you decrypt with. Typically, many of us will use a machine or user-level certificate as a key, to ensure that the value isn't tampered with or changed.

If (instead) you are using MD5 to hash the password, then it's not actually encrypted. Hashing totally munges the plaintext value and you will never get it back. It's the safest and smartest way to store passwords. You merely hash the plaintext into an encoded value and save it to the database -- then, you compare against that hashed value any time the user logs in.

I'm hoping you are hashing and not encrypting. It's definitely a best practice when it comes to password storage. It's very easy to implement and will save you headaches if you're ever audited.

Good luck!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.