0

In C#, there's a method called VerifyHashedPassword(). This does not take a hashing algorithm. In T-SQL, there's a method HashBytes(), which does require that you pass the hashing algorithm.

I am updating a program, and I need to verify the user's password. I have the table of hashed passwords, but I do not know what algorithm was used, only that the C# code uses VerifyHashedPassword, which does not take an algorithm parameter.

What algorithm can I pass to HashBytes() which will match what VerifyHashedPassword uses?

Edit: It is obvious that the suggested question does not answer my question. It is difficult to understand why anyone would have thought that it did.

Improve this question
5

1 Answer 1

Reset to default
0

You will probably NOT be able to use the SQL HashBytes() method to replicate the process, because you don't know the salt. And if you did know the salt, the whole point of modern algorithms is they are tunable, and you don't know the tuning factor used. And even if you knew the tuning factor, the newer tunable algorithems are not yet supported by HashBytes().

But the info you want is it uses the Rfc2898DerivedBytes type, which includes this in the documentation:

Implements password-based key derivation functionality, PBKDF2, by using a pseudo-random number generator based on HMACSHA1.

The output of a password hashed this way will also include a random salt as part of the result. The VerifyHashedPassword() then takes this value and separates the salt (and any other metadata, like the tuning factor) from this input value and uses it to duplicate the original hash process on the attempted password. Then it can compare the hashes to give a valid/invalid result.

I am updating a program, and I need to verify the user's password. I have the table of hashed passwords, but I do not know what algorithm was used, only that the C# code uses VerifyHashedPassword()

You should continue to use that process, if possible. Password validation is not typically done in the database itself.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

There's a method which takes a salt, and one which does not require a salt.
If you mean the "HashPassword()" function in the same class, that generates a random salt and then includes it as part of the result. The "Verify" method then splits them apart again to use the same salt with the attempted password.
"Password validation is not typically done in the database itself." isn't quite correct. The password should be hashed on the client side, and then passed to the server to compare the hashes.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.