How to compare encrypted password in database with newly entered password during login in VB.NET?

Question

0.00/5 (No votes)

See more:

Im doing a registration and login form where I already encrypted the password when user entered the password in registration phase. So for login I know that I need to compare the encrypted password in database with the newly entered encrypted password during login. I dont know if im missing some code or im writing the wrong code. I know that this question have been asked few times but I hope I can get some help here.

Here is the code for login button

VB

Private Sub SubmitButton4_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles SubmitButton4.Click
        'Check if username or password is empty
        If PasswordTextBox1.Text = "" Or UsernameTextBox2.Text = "" Then
            MessageBox.Show("Please fill-up all fields!", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)

            'Clear all fields
            PasswordTextBox1.Text = ""
            UsernameTextBox2.Text = ""

            'Focus on Username field
            UsernameTextBox2.Focus()

        Else
            'Connect to DB
            Dim conn As New System.Data.OleDb.OleDbConnection()
            conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" + "C:\Users\user1\Documents\Visual Studio 2010\Projects\Crypto\Crypto\crypto.accdb"

            Try
                'Open Database Connection
                conn.Open()

                Dim sql As String = "SELECT Password FROM registration WHERE Username='" & Encrypt(UsernameTextBox2.Text) & "'"

                Dim cmd As OleDbCommand = New OleDbCommand(sql, conn)
                Dim sqlRead As OleDbDataReader = cmd.ExecuteReader()
                Dim password As String = cmd.ExecuteScalar().ToString().Replace("", "")

                If (password = Encrypt(PasswordTextBox1.Text)) Then

                    PasswordTextBox1.Clear()
                    UsernameTextBox2.Clear()

                    'Focus on Username field
                    UsernameTextBox2.Focus()
                    Me.Hide()
                    Mainpage.Show()
                Else
                    LoginAttempts = LoginAttempts + 1
                    If LoginAttempts >= 3 Then
                        End
                    Else
                        ' If user enter wrong username or password
                        MessageBox.Show("Sorry, wrong username or password", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Error)

                        'Clear all fields
                        PasswordTextBox1.Text = ""
                        UsernameTextBox2.Text = ""

                        'Focus on Username field
                        UsernameTextBox2.Focus()
                    End If
                End If
            Catch ex As Exception
                MessageBox.Show("Failed to connect to Database", "Database Connection Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
                'Clear all fields
                PasswordTextBox1.Text = ""
                UsernameTextBox2.Text = ""
            End Try
        End If

    End Sub

What I have tried:

I already found the solution https://stackoverflow.com/questions/29032706/c-sharp-encrypted-login and try to follow the code but still, it have error.

Posted 24-May-19 19:24pm

dyooshi

Updated 24-May-19 19:54pm

v2

Add a Solution

Comments

Richard Deeming 29-May-19 13:49pm

"Encryption" implies that you can recover the original text. As such, it doesn't belong anywhere near an authentication system.

You need to use a secure one-way hash, with a unique salt for each record, and preferably using multiple passes of a key-derivation function like PBKDF2.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2019-05-24T19:55:00

Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Have a look here: Password Storage: How to do it.[^] - the code is in C# but it's pretty obvious, and this can convert it if you really can't understand: Code Converter C# to VB and VB to C# – Telerik[^]

And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and store them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.