Click here to Skip to main content
12,070,351 members (53,299 online)
Rate this:
 
Please Sign up or sign in to vote.
See more: cryptography
Hi All,

Can anyone please let me know how to store a hashed password [B]using BCrypt[/B](also let me know if Bcrypt is safe) into database and verify the password when user login.

Register Page

Username:.........
Password:........

SAVEBUTTON

Please provide the code to store Username and password in sql database [B]using BCrypt[/B]

Username: ...................
Password : .....................

LOGINBUTTON

Provide code to verify the password with the one stored in database.

Thanks & Regards,
Prathap
Posted 9-Oct-12 8:52am
Edited 9-Oct-12 8:58am
v4
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

  Permalink  
Comments
nkkppp 9-Oct-12 14:06pm
   
Hi Marcus,

The link provided is quite useful as we do not need to write separate code for SALT value and then append to the Password.The code is also very easier to understand.

But due to the below code will there be any performance Issues due to iterations.

private static bool MatchSHA1(byte[] p1, byte[] p2)
{
bool result = false;
if (p1 != null && p2 != null)
{
if (p1.Length == p2.Length)
{
result = true;
for (int i = 0; i < p1.Length; i++)
{
if (p1[i] != p2[i])
{
result = false;
break;
}
}
Nelek 9-Oct-12 14:08pm
   
So... what? Have you tried to ask in the forum at the bottom of that site? Maybe the autor will be able to help you better
   
Right, so what? Using SHA-1 is bad -- please see my answer where I explain what to do instead.
--SA
Marcus Kramer 9-Oct-12 14:14pm
   
Just do everything the way Griff explains in the tip. It works, it's solid and you won't have any performance issues.
nkkppp 9-Oct-12 14:15pm
   
Thank you Marcus.
nkkppp 9-Oct-12 15:26pm
   
Hi Marcus,

I have implemented the code and it works fine.
   
Right, a 5. I also added detain on algorithms to be used -- please see my answer.

Using SHA-1 (as OP tried to) or MD5 is bad for security.
--SA
nkkppp 9-Oct-12 15:37pm
   
Hi Sergey,

Even SHA-1 is outdated, so I am using Sha-512
   
Exactly. If you look at my answer, you will see that I mentioned that. :-)
As the method of your code sample is named MatchSHA1, it suggests you tried SHA-1. SHA-512 is a right thing to use.
--SA
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 2

[In reply to the OP's comment to Solution 1:]

No, don't use SHA1 (or MD5) for any security purposes — they are found broken. Please read:
http://en.wikipedia.org/wiki/Sha1[^],
http://en.wikipedia.org/wiki/MD5[^].

The most used reliable and secure cryptographic hash function would be one from the SHA-2 family:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^],
http://en.wikipedia.org/wiki/SHA-2[^].

And you don't need to implement it by yourself. You can use the implementation available in .NET:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^].

Of course, this is if you can use .NET or Mono, for platforms other than Windows:
http://en.wikipedia.org/wiki/Mono_%28software%29[^],
http://www.mono-project.com/Main_Page[^].

With Mono, you can always get the source code of SHA-2 or other algorithms and use it the way you want, even translate to other languages. I'm almost sure you will be able to find implementation for a language you use.

It was a bad idea not to tag your platform and languages; this can badly limit our help. I suggest next time you tag and indicate all relevant information.

Good luck,
—SA
  Permalink  
v2
Comments
Marcus Kramer 9-Oct-12 15:37pm
   
+5. A very comprehensive answer. I agree totally with the "Do not use SHA1" philosophy, but because Griff's tip so perfectly answered the OP's question, I figured I had to point them there. Cheers.
   
Yes, you do it right of course. I just have my own way to explain such things, even more detailed than that article, only dispersed in several past answers. I also explain one-way functions and the process of authentication, but OP seems to understand that already. :-)

Thank you, Marcus.
--SA
Nelek 9-Oct-12 15:52pm
   
+5
   
Thank you, Nelek.
--SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Mobile
Web02 | 2.8.160208.1 | Last Updated 9 Oct 2012
Copyright © CodeProject, 1999-2016
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100