Encrypting and decrypt password to login

Question

I am trying to make a login and register for my website. I have used hash to encrypt the password but im struggling to log back in. The code for the login page is below

This is what ive used to encrypt the password

public string ToSHA2569(string value)
    {
    SHA256 sha256 = SHA256.Create();
    byte[] hashData = sha256.ComputeHash(Encoding.Default.GetBytes(value));
    StringBuilder returnValue = new StringBuilder();

    for (int i = 0; i < hashData.Length; i++)
    {
        returnValue.Append(hashData[i].ToString());

    }
    return returnValue.ToString();
}

This is my register page

protected void btnSubmit_Click(object sender, EventArgs e)
        {

        try
        {
            using (SqlConnection sqlcon = new SqlConnection(connectionString))
            {
                sqlcon.Open();
                SqlCommand cmd = new SqlCommand("UserRegister", sqlcon);
                cmd.CommandType = CommandType.StoredProcedure;

                cmd.Parameters.AddWithValue("@Name", txtName.Text.Trim());
                cmd.Parameters.AddWithValue("@Email", txtEmail.Text.Trim());
                cmd.Parameters.AddWithValue("@Password", ToSHA2569(txtPassword.Text.Trim()));
                cmd.Parameters.AddWithValue("Created", DateTime.Now);
                cmd.ExecuteNonQuery();
                lblMessage.Text = "You have registered succussfully";
            }
        }
        catch (Exception ex)
        {
            lblWrong.Text = "Something went wrong please try again later";
        }

            }


    }

This is my login page i think there is something wrong here. Is it easier to use an encryption key instead of hash?

protected void btnSubmit_Click(object sender, EventArgs e)


        {

            try
            {


                using (SqlConnection sqlcon = new SqlConnection(connectionString))
                {
                    sqlcon.Open();
                    string checkPasswordQuery = "select Password from [dbo.Register] where Username ='" + ToSHA2569(txtEmail.Text) + "'";
                    SqlCommand passcom = new SqlCommand(checkPasswordQuery, sqlcon);

                    if (txtPassword.Text == ToSHA2569(txtPassword.Text))
                    {
                        Response.Redirect("default.aspx");

                    }
                    else
                    {
                        Response.Write("Password is not correct");
                    }
                }


            }
            catch
            {
                lblWrong.Text = "Something went wrong please try again later";
            }
        }

Encrypting implies the ability to decrypt, which is certainly something you should never be able to do. You should use a one-way _hashing function_ to save user passwords. When you need to verify the password, you can simply hash the user's attempt at their password and compare it to the existing hashed password. See [how to store a user's password](https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database) and the [Adobe password hack](https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/). — ProgrammingLlama, Dec 03 '18 at 00:35
Also, your login page should be using parameterized queries like your register page. Imagine I enter the username `'; DROP TABLE [dbo.Register]; -- `. Boom, nobody can login. — ProgrammingLlama, Dec 03 '18 at 00:37
would you be able to explain more about the parameterized quires if you have the time? Its just im quite new to c# — Joe, Dec 03 '18 at 00:49
In your "register" code you have parameters, like `cmd.Parameters.AddWithValue("@Name", txtName.Text.Trim());`, right? You just need to use them everywhere you pass data to your database. For example, you could change your second query to `checkPasswordQuery = "select Password from [dbo.Register] where Username = @username;` and then add a parameter for `@username`. Parameterized queries ensure that the data is separate from the query, so you can't break the query with bad data (or make yourself vulnerable to attack). — ProgrammingLlama, Dec 03 '18 at 00:51
Okay that makes a lot more sense now. Thank you for your help — Joe, Dec 03 '18 at 01:09
And don't use [addwithvalue](https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/) — SMor, Dec 03 '18 at 14:22
Do you know what this process is called so i can look up an example or do you have an example? — Joe, Dec 03 '18 at 16:45

score -1 · Answer 1 · answered Dec 03 '18 at 08:04

-1

string checkPasswordQuery = "select Password from [dbo.Register] where Username ='" + ToSHA2569(txtEmail.Text) + "'";

What is the reason for encrypting the email here?

Try changing to following where you are encrypting the password entered with what is in database.

if (checkPasswordQuery == ToSHA2569(txtPassword.Text))

answered Dec 03 '18 at 08:04

gkumar

1
2

it was just some code that i found online. it makes a little more sense now – Joe Dec 03 '18 at 11:03
would i have to create a new stored procedure for this? And do you have an example of the code i would have to write? – Joe Dec 03 '18 at 11:22
dont use string concatenation...use SQL Parameters. You might end up with a SQL injection bug – 2174714 Dec 04 '18 at 16:18

Encrypting and decrypt password to login

1 Answers1