Need Some Help With SHA-1 HASH

[haxordee]

I really hope someone could help me out with this...I have an SQL database for my server that contains usernames and passwords for all my clients. When people create their accounts on my website (CMS), their passwords are encrypted in SHA-1 Hash form...

Now, I'm making a program that requires authentication. So basically the person is supposed to enter their information (username and password) that is stored in the SQL database to be able to access the program. I am using THIS tutorial to teach me how to do this: http://www.youtube.com/watch?v=u1waZnO8PCk

One problem, since the passwords are stored in SHA-1 I can't think of a way to make it read the SHA-1 passwords that are stored in the DB, when the person enters a string type piece of text as their password while they try to login.

Could anyone help me out? Thanks

[dunfiddlin]

Here you go ...

http://www.dreamincode.net/code/snippet1635.htm

[haxordee]

Could you please provide a little assistance with this?

[jmcilhinney]

First of all, the passwords are not encrypted. They are hashed. Encryption is a two-way process while hashing is one-way.

Therein lies the problem with your thinking. You seem to be under the impression that you're supposed to get the hashed password from the database, decrypt it and then compare the result to the password the user typed in. That is not the case. The whole point of hashing is that basically you cannot recreate the original data from the hash. That's why it's secure.

When the user registers, you are hashing the password they provide and storing the result in the database. When a user logs in, you use the user name, if such a user name exists, to get the hash from the database. You then hash the password they logged in with and then compare the two hashes. If the hashes are the same then the original passwords are the same too, so the user is authenticated.

[m.davide]

jmcilhinney,

do you approve of dunfiddlin's solution? coz i wanna use it

[jmcilhinney]

jmcilhinney,

do you approve of dunfiddlin's solution? coz i wanna use it

There's not much to generating the hash so that's fine. I probably would have used SHA1Managed rather than SHA1CryptoServiceProvider but that's no big deal. Also, I would probably have used Convert.ToBase64String to create a base64 representation of the Byte array rather than converting each Byte to hexadecimal. Again, that's not really a big deal.

That still doesn't tell you how to use the hash though, which I think is the issue the OP was having. See my previous post for that.

[m.davide]

What I did is just store my hashed password on a varchar attribute. Then when a user logs in, I just retrieve the hashed password and compare it to the Text on the password field/TextBox with a simple If-else statement.

[jmcilhinney]

What I did is just store my hashed password on a varchar attribute. Then when a user logs in, I just retrieve the hashed password and compare it to the Text on the password field/TextBox with a simple If-else statement.

That's all correct except that, as I posted earlier, you need to hash the password provided at login and compare that to the hash created from the password provided at registration. I'm guessing that you're actually doing that already but just neglected to mention it specifically.

[m.davide]

Yeah, I totally forgot to mention it.