Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
Hi All,
 
Can anyone please let me know how to store a hashed password [B]using BCrypt[/B](also let me know if Bcrypt is safe) into database and verify the password when user login.
 
Register Page
 
Username:.........
Password:........
 
SAVEBUTTON
 
Please provide the code to store Username and password in sql database [B]using BCrypt[/B]
 
Username: ...................
Password : .....................
 
LOGINBUTTON
 
Provide code to verify the password with the one stored in database.
 
Thanks & Regards,
Prathap
Posted 9-Oct-12 8:52am
Edited 9-Oct-12 8:58am
v4
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

  Permalink  
Comments
nkkppp at 9-Oct-12 14:06pm
   
Hi Marcus,
 
The link provided is quite useful as we do not need to write separate code for SALT value and then append to the Password.The code is also very easier to understand.
 
But due to the below code will there be any performance Issues due to iterations.
 
private static bool MatchSHA1(byte[] p1, byte[] p2)
{
bool result = false;
if (p1 != null && p2 != null)
{
if (p1.Length == p2.Length)
{
result = true;
for (int i = 0; i < p1.Length; i++)
{
if (p1[i] != p2[i])
{
result = false;
break;
}
}
Nelek at 9-Oct-12 14:08pm
   
So... what? Have you tried to ask in the forum at the bottom of that site? Maybe the autor will be able to help you better
Sergey Alexandrovich Kryukov at 9-Oct-12 15:36pm
   
Right, so what? Using SHA-1 is bad -- please see my answer where I explain what to do instead.
--SA
Marcus Kramer at 9-Oct-12 14:14pm
   
Just do everything the way Griff explains in the tip. It works, it's solid and you won't have any performance issues.
nkkppp at 9-Oct-12 14:15pm
   
Thank you Marcus.
nkkppp at 9-Oct-12 15:26pm
   
Hi Marcus,
 
I have implemented the code and it works fine.
Sergey Alexandrovich Kryukov at 9-Oct-12 15:35pm
   
Right, a 5. I also added detain on algorithms to be used -- please see my answer.
 
Using SHA-1 (as OP tried to) or MD5 is bad for security.
--SA
nkkppp at 9-Oct-12 15:37pm
   
Hi Sergey,
 
Even SHA-1 is outdated, so I am using Sha-512
Sergey Alexandrovich Kryukov at 9-Oct-12 16:01pm
   
Exactly. If you look at my answer, you will see that I mentioned that. :-)
As the method of your code sample is named MatchSHA1, it suggests you tried SHA-1. SHA-512 is a right thing to use.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

[In reply to the OP's comment to Solution 1:]
 
No, don't use SHA1 (or MD5) for any security purposes — they are found broken. Please read:
http://en.wikipedia.org/wiki/Sha1[^],
http://en.wikipedia.org/wiki/MD5[^].
 
The most used reliable and secure cryptographic hash function would be one from the SHA-2 family:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^],
http://en.wikipedia.org/wiki/SHA-2[^].
 
And you don't need to implement it by yourself. You can use the implementation available in .NET:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^].
 
Of course, this is if you can use .NET or Mono, for platforms other than Windows:
http://en.wikipedia.org/wiki/Mono_%28software%29[^],
http://www.mono-project.com/Main_Page[^].
 
With Mono, you can always get the source code of SHA-2 or other algorithms and use it the way you want, even translate to other languages. I'm almost sure you will be able to find implementation for a language you use.
 
It was a bad idea not to tag your platform and languages; this can badly limit our help. I suggest next time you tag and indicate all relevant information.
 
Good luck,
—SA
  Permalink  
v2
Comments
Marcus Kramer at 9-Oct-12 15:37pm
   
+5. A very comprehensive answer. I agree totally with the "Do not use SHA1" philosophy, but because Griff's tip so perfectly answered the OP's question, I figured I had to point them there. Cheers.
Sergey Alexandrovich Kryukov at 9-Oct-12 15:55pm
   
Yes, you do it right of course. I just have my own way to explain such things, even more detailed than that article, only dispersed in several past answers. I also explain one-way functions and the process of authentication, but OP seems to understand that already. :-)
 
Thank you, Marcus.
--SA
Nelek at 9-Oct-12 15:52pm
   
+5
Sergey Alexandrovich Kryukov at 9-Oct-12 15:55pm
   
Thank you, Nelek.
--SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Sergey Alexandrovich Kryukov 7,273
1 OriginalGriff 5,587
2 Peter Leow 4,097
3 CHill60 2,858
4 Mika Wendelius 2,850


Advertise | Privacy | Mobile
Web01 | 2.8.150224.1 | Last Updated 9 Oct 2012
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100