C# and SQL Server: Passwords. Where to do what?

By : Svish
Source: Stackoverflow.com

Ok, I have an application written in C#. We have data in an SQL Server. Among that data we have user accounts, which will give access to the application.

I've read around, and I know that you should salt and hash and possibly hash a bunch of times, etc. But, where do I do what? What do I send to and from the SQL Server? Exactly what do I store in the database? Do I hash it in SQL? (possibly a hash function there, like in mysql?) Do I hash and do the fancy stuff in my code? Do I send the hash to the server and compare, or do I get the hash from the server and compare in my application? What about the salt? Where do I make it? Where do I store it? How do I get it?

In other words, could someone give me a nice and clear walkthrough of a login scenario (and possibly a user add/reset password scenario). What goes where, what should be used where, etc.

Hope someone can clear these things up for me =)

By : Svish


I did this myself a number of years ago before the Membership Provider model was available.

We used the functions built-into ASP.NET to handle the hashing of the password; it's the static method HashPasswordForStoringInConfigFile in the FormsAuthentication namespace. You give it a password and an encryption choice and it returns the hashed password.

Our flow was: - Get the hashed password from the database for hte entered user name. - Hash the entered password. - Do they match? If so, continue, else logon failed.

When changing the password, we sent the hash to the database for storing; we did not send the unencrypted password.

And, I believe, it is what the MembershipProvider is doing under the covers today.

To reiterate too, the most important piece when doing forms authentication regardless of how you are doing it, is to work over a secure (HTTPS) connection.

I find it useful to name the strored proc as TableName_Action

example RefClient_Insert, RefClient_Search, RefEmployee_Delete

This way, since the tables are grouped (Ref = Reference in this case) the SPs are grouped too.

Note that I have used _ just for clarity, you may skip it if you like.

By : Sameer

Yeah, you're right. This will only avoid the desired selector. Maybe it needs to be more detailed:


This video can help you solving your question :)
By: admin