Store Hashed password in database

Question

0.00/5 (No votes)

See more:

Hi All,

Can anyone please let me know how to store a hashed password [B]using BCrypt[/B](also let me know if Bcrypt is safe) into database and verify the password when user login.

Register Page

Username:.........
Password:........

SAVEBUTTON

Please provide the code to store Username and password in sql database [B]using BCrypt[/B]

Username: ...................
Password : .....................

LOGINBUTTON

Provide code to verify the password with the one stored in database.

Thanks & Regards,
Prathap

Posted 9-Oct-12 7:52am

Prathap Gangireddy

Updated 9-Oct-12 7:58am

fjdiewornncalwe

v4

Add a Solution

2 solutions

Solution 2

[In reply to the OP's comment to Solution 1:]

No, don't use SHA1 (or MD5) for any security purposes — they are found broken. Please read:
http://en.wikipedia.org/wiki/Sha1[^],
http://en.wikipedia.org/wiki/MD5[^].

The most used reliable and secure cryptographic hash function would be one from the SHA-2 family:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^],
http://en.wikipedia.org/wiki/SHA-2[^].

And you don't need to implement it by yourself. You can use the implementation available in .NET:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^].

Of course, this is if you can use .NET or Mono, for platforms other than Windows:
http://en.wikipedia.org/wiki/Mono_%28software%29[^],
http://www.mono-project.com/Main_Page[^].

With Mono, you can always get the source code of SHA-2 or other algorithms and use it the way you want, even translate to other languages. I'm almost sure you will be able to find implementation for a language you use.

It was a bad idea not to tag your platform and languages; this can badly limit our help. I suggest next time you tag and indicate all relevant information.

Good luck,

—SA

Posted 9-Oct-12 9:30am

Sergey Alexandrovich Kryukov

Updated 9-Oct-12 9:34am

v2

Comments

fjdiewornncalwe 9-Oct-12 15:37pm

+5. A very comprehensive answer. I agree totally with the "Do not use SHA1" philosophy, but because Griff's tip so perfectly answered the OP's question, I figured I had to point them there. Cheers.

Sergey Alexandrovich Kryukov 9-Oct-12 15:55pm

Yes, you do it right of course. I just have my own way to explain such things, even more detailed than that article, only dispersed in several past answers. I also explain one-way functions and the process of authentication, but OP seems to understand that already. :-)

Thank you, Marcus.
--SA

Nelek 9-Oct-12 15:52pm

+5

Sergey Alexandrovich Kryukov 9-Oct-12 15:55pm

Thank you, Nelek.
--SA

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

fjdiewornncalwe · Accepted Answer · 2012-10-09T07:59:00

Solution 1

Tip by Griff: Password Storage: How to do it.[^]

Posted 9-Oct-12 7:59am

fjdiewornncalwe

Comments

Prathap Gangireddy 9-Oct-12 14:06pm

Hi Marcus,

The link provided is quite useful as we do not need to write separate code for SALT value and then append to the Password.The code is also very easier to understand.

But due to the below code will there be any performance Issues due to iterations.

private static bool MatchSHA1(byte[] p1, byte[] p2)
{
bool result = false;
if (p1 != null && p2 != null)
{
if (p1.Length == p2.Length)
{
result = true;
for (int i = 0; i < p1.Length; i++)
{
if (p1[i] != p2[i])
{
result = false;
break;
}
}

Nelek 9-Oct-12 14:08pm

So... what? Have you tried to ask in the forum at the bottom of that site? Maybe the autor will be able to help you better

Sergey Alexandrovich Kryukov 9-Oct-12 15:36pm

Right, so what? Using SHA-1 is bad -- please see my answer where I explain what to do instead.
--SA

fjdiewornncalwe 9-Oct-12 14:14pm

Just do everything the way Griff explains in the tip. It works, it's solid and you won't have any performance issues.

Prathap Gangireddy 9-Oct-12 14:15pm

Thank you Marcus.

Prathap Gangireddy 9-Oct-12 15:26pm

Hi Marcus,

I have implemented the code and it works fine.

Sergey Alexandrovich Kryukov 9-Oct-12 15:35pm

Right, a 5. I also added detain on algorithms to be used -- please see my answer.

Using SHA-1 (as OP tried to) or MD5 is bad for security.
--SA

Prathap Gangireddy 9-Oct-12 15:37pm

Hi Sergey,

Even SHA-1 is outdated, so I am using Sha-512

Sergey Alexandrovich Kryukov 9-Oct-12 16:01pm

Exactly. If you look at my answer, you will see that I mentioned that. :-)
As the method of your code sample is named MatchSHA1, it suggests you tried SHA-1. SHA-512 is a right thing to use.
--SA