Hash password using bcrypt ! when forget password ?

Question

0.00/5 (No votes)

See more:

is Bcrypt one way-hash ?
i try to store admin password to database using Bcrypt encryption.
how about admin forget password ?
how to know admin plain password from password encryption?

What I have tried:

tb2.Text = BCrypt.Net.BCrypt.HashPassword(tb1.Text)

Posted 13-Sep-17 22:37pm

Khabibb Mubarakk

Updated 13-Sep-17 22:45pm

OriginalGriff

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2017-09-13T22:45:00

Solution 1

Quote:
is Bcrypt one way-hash ?

Yes. All hashes are effectively one-way: they throw away information to produce a "unique" value for the input.

Quote:
how about admin forget password ?

When you forget a password, you reset it to a new value (and store the hash of that in the DB) and send the new password to the user, encouraging them to change it to one they can remember. (In order to make them do this, I use GUIDs as the new password - nobody wants to try and remember them, so they do reset the value pretty quickly)

Quote:
how to know admin plain password from password encryption?

You can't: all passwords are stored as hashes, so that nobody at all (except the user) has any idea what password they used.

Posted 13-Sep-17 22:45pm

OriginalGriff

Comments

Khabibb Mubarakk 14-Sep-17 6:21am

Send the new passwordto the user(admin) ?
How to do it? I'm make dekstop and offline app... Send directly on app when user ask forget password?? It look like not secure...

Afzaal Ahmad Zeeshan 14-Sep-17 6:24am

You can display that in a message box if this is a desktop application and works offline.

As for the secure part, I agree, but you should consider a secure channel to send the password and do not send in plain-text format.

OriginalGriff 14-Sep-17 6:53am

The usual way is to email it to the user at his registered email address - and expire it if not confirmed in a reasonable period - so that someone with access to the app can't "steal" the account without having access to the email account as well.

Khabibb Mubarakk 14-Sep-17 6:57am

Exactly need connection(online).
No any method is secure when offline

OriginalGriff 14-Sep-17 7:15am

No method is secure when offline: an attacker has physical access to the machine, so can access anything your user can that isn't separately password protected. In most cases, the only thing that is almost guaranteed to exist and be password protected is an email account.

Khabibb Mubarakk 14-Sep-17 7:39am

Basicly i make dekstop app for standalone user (customer service)
I'm using access database..
If i must make it online for send password to email.. Can you give me link reference to do it.. Sorry if out of topic .. In one side the app need website for activity like order online..how can make it ?

OriginalGriff 14-Sep-17 8:48am

That's complicated, because in order to send an email, you need access to an email system - and that means having an ID and (normally) a password as well. After that it's pretty simple:
https://www.codeproject.com/Tips/163829/Sending-an-Email-in-C-with-or-without-attachments

The rest is a very different topic, and you need to first think about exactly what you are trying to achieve (in detail) and then open a new question to cover it - there are people much more expert in online shops than I am.

Khabibb Mubarakk 15-Sep-17 11:41am

Oke i solved this problem.. I try to store salt and hash password to database n if admin forget pass..i use smtp to send email to admin.. I think is secure..