?
Solved

Comparing Hashed password field with clear text.

Posted on 2011-02-24
2
Medium Priority
?
674 Views
Last Modified: 2012-05-11

Hi,
     I am trying to hash password field and then comparing it.  I updated table as shown below.  But when i try to compare and find the password that matches wtih the password i have entered. No result. What is wrong with tihis?
     Thanks in advance.

Table column description :
pass      varbinary(256)      Unchecked

Update Pass field :
update Tab_Users set Pass = HashBytes('SHA1', '1234567') where  UserId = 10

After update here is the pass :
SELECT pass FROM Tab_Users  where  UserId = 10
0x20EABE5D64B0E216796E834F52D61FD0B70332FC


Compare pass  field :
SELECT * FROM Tab_Users
where pwdcompare(HashBytes('SHA1', '1234567'),pass) = 1 AND UserId = 10
0
Comment
Question by:mhanefitel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 4

Expert Comment

by:MarioAlcaide
ID: 34970837
Hi, you could create a test user and delete it, just when you are comparing the password ;-)
0
 
LVL 28

Accepted Solution

by:
Ryan McCauley earned 1000 total points
ID: 34970879
PWDCOMPARE is used to compare SQL Server login passwords, not custom hashed application passwords. Since you're comparing the hashes, you don't need it. Change that last select to this:

SELECT * FROM Tab_Users 
where HashBytes('SHA1', '1234567') = pass and UserId = 10

Open in new window


And you'll get what you're looking for.
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Ready to get certified? Check out some courses that help you prepare for third-party exams.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question