How to store a hashed password in an SQLite DB?

General
1

I am trying this …
To store the password:
Dim Hash As String = Crypto.Hash(k, Crypto.Algorithm.SHA512)
rs.Edit
rs.Field(“UserPassword”).StringValue = Hash
rs.Update

To retrieve the password:
// User enters name in textfield1 and password in textfield2

Dim Hash1 As String = Crypto.Hash(textfield2.text, Crypto.Algorithm.SHA512)

Dim rs As RecordSet = DB.SQLSelect(“SELECT * FROM Users WHERE UserName = '”+textfield1.text+"’ "
Dim Hash2 As String = rs.Field(“UserPassword”).StringValue

So Hash1 = Hashed user input and Hash2 = retrieved password (should be Hashed from the password-store-code above)
Then I compare Hash1 to Hash2 and expect them to match - but they don’t.

Is there an obvious problem with what I am trying to accomplish?

2

You could be having conversion/encoding problems with the binary data. The Hash function returns a MemoryBlock. You might try expressing the Hash as a hexadecimal value before storing and comparing.

3

And, at the very least, you should be using a salt and Crypto.PBKDF2.

4

Thanks Paul - that worked. Thanks Kem, I will update the Crypto.

5

Mark… Kem is right about salting your passwords. Storing unsalted passwords is a big security risk.

To see for yourself how easy it is to crack a hash, take one of your hashes and un-hash it here. I’m yet to find a hash that I couldn’t “un-hash”.

And here is a very good article on how to properly secure your passwords with salted hashes.

6

Since we’re going down this road, you should look into a scheme like Security Through Obesity to further protect the data, and also disallow weak password.

To that end, I have a class that checks passwords against the 10,000 most used and flags those that are similar, e.g., “y4nk3335” essentially spells out “yankees” and would be flagged. It also lets you set rules like “1 upper, 1 lower, 1 digit, 1, symbol, and must meet any three of those”.

These were part of my session materials from XDC but I can make them available separately if there is interest.

7

It couldn’t un-hash “y4nk3335”. :slight_smile:

8

I’m definitely interested…

9

Security Via Obesity:

https://dl.dropboxusercontent.com/u/26920684/Security%20Via%20Obesity.zip

M_CheckPassword:

https://dl.dropboxusercontent.com/u/26920684/M_CheckPassword.zip

Eventually I’ll move these to my web site.

10

Thanks a mil Kem…

11

Kem’s talk at XDC was really worth going to - probably my highlight of the conference. Definitely worth looking at.

12

Looking forward to work through the code and reading Thom’s blog.

13

Agreed. Kem’s talk was very good… Except for the yalping/yowling into the microphone…

14

Thank you Kem, I was just getting ready to send you an e-mail and ask for it.

15

Well damn here I thought it was hanging with the engineers but …. :frowning:

16

Meanwhile, my overblown sense of self worth is on the rise. Keep it up, people.

17

Sorry I missed your talk

Although I’ll confess the first 30 times I looked at the title I did think to myself “Does Kem realize that’s not how you spell Obscurity?”

Then I blitzed through a few google pages & references and decided it was one I did want to sit in on & things just conspired to put me in the other session room at that time

18

Yeah, for a while I thought it was “obscurity” too.

And no problem about going to Bob’s session, I’m sure it was excellent. I mean, mine was mind-blowing and life-changing, and at least one person actually fainted, but I’m sure his was good too. sense of self worth expanding faster

19

careful or we’ll have a SuperKem explosion with a black hole as a result :stuck_out_tongue:

20

Inflation? Increasing expansion?

Kem is obviously full of Dark Energy