Salted Password Hash

**richyrich** · richyrich, March 18th, 2009 05:56 AM

Hey J

Could you just clarify if anything in these functions needs to change if you change the size of allowed passwords?

Let's say, for example, passwords have to be a minimum of 8 characters and a maximum of 15. I presume the salt is unaffected but what about the password hash field? Is there a maximum length the password can be?

What about if you allowed passwords up to 50 characters, as an extreme case?

Basically, is the additional 40 characters for the hash field in the DB related to the length of password you have?

**jmurrayhead** · jmurrayhead, March 18th, 2009 08:31 AM

No...the hash algorithm always generates a 40 character string. So no matter the password length is, the hash will always be 40 characters.

Also, to make life easier, you could simply change the password and salt fields to varchar(MAX). Since variable-length data types like varchar only take up the length of the variable, it would make more sense.

**richyrich** · richyrich, November 19th, 2009 10:28 AM

I'm trying to use this again, but am coming up against the same problem.

I have 2 db fields, hash and salt, both VARCHAR (255) fields.

When I add a user, I can see the detail in the db table, but when I try logging in using the password, it says the details don't match.

To create the user, I user:-

Code:

        public static bool AddUser(int ID, User user)
        {
            bool result = false;
            string salt = Global.CreateSalt(12);
            string passhash = Global.CreatePasswordHash(user.password, salt);
            MySqlConnection conn = new MySqlConnection(Global.ConnStr);
            MySqlCommand comm = new MySqlCommand("spAddUser", conn);
            comm.CommandType = CommandType.StoredProcedure;
            comm.Parameters.AddWithValue("username", user.username);
            comm.Parameters.AddWithValue("forename", user.forename);
            comm.Parameters.AddWithValue("surname", user.surname);
            comm.Parameters.AddWithValue("email", user.email);
            comm.Parameters.AddWithValue("pass", passhash);
            comm.Parameters.AddWithValue("salt", salt);
            comm.Parameters.AddWithValue("admin", user.admin);
            comm.Parameters.AddWithValue("userId", ID);
            MySqlParameter id = new MySqlParameter("ref", MySqlDbType.Int32);
            id.Direction = ParameterDirection.Output;
            comm.Parameters.Add(id);
            using (conn)
            {
                using (comm)
                {
                    try
                    {
                        conn.Open();
                        comm.ExecuteNonQuery();
                        user.id = (int)id.Value;
                        if (!UserRoleDAL.addUserRoles(user)||!UserRoleDAL.adduserCurrency(user))
                        {
                            result = false;
                        }
                        else
                        {
                            result = true;
                        }
                    }
                    catch (MySqlException ex)
                    {
                        user.err = ex.ToString();
                    }
                }
            }
            return result;
        }

And to login, I use

Code:

        public static int Login(string username, string password)
        {
            int result = 0;
            MySqlConnection conn = new MySqlConnection(Global.ConnStr);
            MySqlCommand comm = new MySqlCommand("spLogin", conn);
            comm.CommandType = CommandType.StoredProcedure;
            comm.Parameters.AddWithValue("username", username);
            comm.Parameters.AddWithValue("ipAddress",HttpContext.Current.Request.UserHostAddress);
            bool timeOut = false;
            if(HttpContext.Current.Request.Cookies["myCook"]!=null) timeOut=true;
            comm.Parameters.AddWithValue("timedOut",timeOut);
            MySqlDataReader rs;
            using(conn)
            {
                using(comm)
                {
                    try{
                        conn.Open();
                        rs = comm.ExecuteReader();
                        if(rs.HasRows)
                        {
                            rs.Read();
                            if(Global.CreatePasswordHash(password,(string)rs["PasswordSalt"])==rs["PasswordHash"])
                            result = (int)rs["ID"];
                            HttpContext.Current.Request.Cookies.Set(new HttpCookie("myCook", "1"));
                        }
                        rs.Close();
                    }
                    catch(MySqlException ex)
                    {
                        HttpContext.Current.Response.Write(ex.ToString());
                    }
                }
            }
            return result;
        }
    }

The add user returns a value fine and I can see the user in the table, so I know it's been added. Not sure why the login won't work though.

I also checked my SP in Query browser and that is returning a record.

Any ideas?

**jmurrayhead** · jmurrayhead, November 19th, 2009 10:46 AM

Have you tried stepping through the login and checking what the values of the variables are in the Locals window of VS? Stepping through the application in debug mode is the best way to see where you're going wrong.

**richyrich** · richyrich, November 19th, 2009 11:06 AM

Ahhh..Got it...Needed to explicitly convert table password hash into string

Thread: Salted Password Hash

LinkBack

Thread Tools

Display

Similar Threads

Hashing (Encryption) Password & Other Sensitive Information

What format should i use to save password?

Password Protected Tabs

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions