I have an application that stores hashed passwords in the database.The applicatin is written in .Net and It uses SQL Server 2012.The authentication workflow is as follows:
Users types Email Address/Password
Database Call is done to retrieve the record by email Address
Servers side verification of the stored hashed password against the password that is typed using this code:
Crypto.VerifyHashedPassword(hashedPassword, password);
I am wondering whether this can be done solely in the database and what are the disadvantages of that approach. I understand that i will be sending clear text passwords to the TSQL Stored Procedure.
I was reading about HashBytes and it seems a candidate for hashing. It seems that I can hash it and convert it to NVARCHAR field and do a comparison on that as follows:
SELECT
....
FROM dbo.Users
WHERE EmailAddress = '<Entered_EmailAddress>'
AND Password = master.dbo.fn_varbintohexstr(HashBytes('SHA2_256', '<Entered_Password>' ))
Related
I have an ASP.NET MVC app hosted on Azure. I use OpenIdConnect/Owin and Azure AD Integrated to authenticate. I have an error log table with a UserId column that only displays the SA username. I also have tables with CreatedBy/ModifiedBy columns that only display the SA username. These records are created via stored procedures.
I already granted execute access to my user account, but the columns continue to be set to the SA username. The only thing that I can think of is a connection string that is causing the value to only be the SA username.
How can I get the stored procedures to run as the user that created/updated the records to set the UserId, CreatedBy and ModifiedBy columns to its username?
UPDATE: I have narrowed down the reason for this. When I deploy the application to Azure, under Publish -> Settings -> Databases, connection strings are entered for the DbContexts. Currently, I have one as Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;User ID=myusername;Password=StrongPassword123;Encrypt=True;TrustServerCertificate=False
I previously tried the following: Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication=Active Directory Integrated;, but got the error "The format of the specified domain name is invalid."
How can I get the stored procedures to run as the user that
created/updated the records to set the UserId, CreatedBy and
ModifiedBy columns to its username?
You don't. You pass those values into the stored procedure. Think of it this way: do you think csharpdev has write permissions on the Stack Overflow database? Of course not; the back end code passes your user id into the sproc that creates the record.
i have a database table with a 88digits hash and a 16digits salt. i know the clear password because its my own testuser.
this user, password, hash and salt was created within a website / commercial tool.
I am trying to build my own .net website and would like to use the same user/password database table.
I tried different ways in .net and i found out that based on the length of the hash(88) is has to be a sha512 hashing.
i read the existing salt from the table and build a hash from password and salt. the outcome is different to the existing hash in the database table.
i believe my "sha512managed" is wrong or the commercial tool uses not only password + salt to create the hash. maybe the use Encoding.Unicode.GetBytes(string.Concat("text" + password, salt)) or something.
i there any whay to figure this out?
How to capture a user's Active Directory userPrinicpalName when they login with Windows authentication, and then compare that to a SQL Server table column in C#?
Any ideas would be much appreciated.
Check out this page to get the Windows username: How do I get the current username in .NET using C#?
From there you would need to write a sql query that would look up the username.
cmd.CommandText = $"SELECT* FROM table WHERE columnName='{WindowsIdentity.GetCurrent().Name}'"
You may need additional using statement to use WindowsIdentity. Add using System.Security.Principal to where this method is being used.
I need to encrypt some columns in my MS SQL database (name, ssn ...) and I have been looking at column encryption as described by a few sites such as:
Encrypting Column Level Data in SQL Server
and
Introduction to SQL Server Encryption and Symmetric Key Encryption Tutorial.
I've been able to use an Trigger on insert to encrypt a column and I can decrypt the column within SQL Studio using:
OPEN SYMMETRIC KEY TestTableKey
DECRYPTION BY PASSWORD = 'Pa$$w0rd'
CONVERT(VARCHAR(50),DECRYPTBYKEY(EncryptSecondCol)) AS DecryptSecondCol
FROM TestTable
But how do I access the data from my application? I still want to be able to search for names. The only thing I can think of is using a Stored Procedure and sending the decryption password as a parameter in the LINQ statement so the stored procedure can decrypt the data and then execute the query.
Am I on the right track?
I'm new to this so I welcome other useful suggestions.
Yes, I have seen stored procedures to decrypt encrypted text. I've also seen stored procedures to encrypt text, which I prefer to Triggers because I don't like Triggers - see these answers.
However, I prefer to put encryption logic in my application layer - using, for example, the Enterprise Library Encryption Code. The passphrase and salt are easily encrypted in the config file using the Enterprise Library console.
Is there a specific reason for doing this work in the database? If you must do it that way, you could use EL to protect your passphrase and pass that into the stored procedure you've written.
If you are using MS SQL Server Enterprise or Developer editions, you can use TDE:
TDE
I started to use ADO.NET for 3 days and want to make a program that can control if UserID and Password is suited with it's database value or not .The point is that i am confused about control all UserID and Password rows to suitable.Must i control UserId and password one by one with a loop or is there any sql command to make this.Thanx..
Are you doing this to learn or for production use?
If it is for production use I strongly advice you to look into using the ASP.NET Membership provider instead of building your own security system. It is thoroughly tested and known to be secure.
If it is to learn then you should write a suitable SQL statement. One way to do it efficiently with one query is:
SELECT 1 FROM Users WHERE UserId='GivenUserId' AND Password='GivenPassword'
That will give you one result row back if there is a successful match, or no row back if either user name or password is wrong.
BTW, I suggest to do not store password in DataBase in plain text, use simple MD5 helper to store MD5 hash of password and just compare hash instead of password itself