Random login error .NET rejecting passwords

Posted on 2013-10-08
Medium Priority
Last Modified: 2014-06-18
I am having a rather unusual issue with a .NET website and user logins.

Now I am away the obvious answer is that the user is entering their details incorrectly however this is reported to not be the case.

The issue is that a handful of users are reporting that their details that have been sent are not working correctly. The login is handled using a SQL lookup of the users password hash and compares it to the entered password hash.

When I check the users login credentials it works perfectly every time without fail, however when the user tries using the same information the login attempt fails.

Is there any reason that this would happen? Is there something going wrong with the hashing of the users password that happens intermittently?

It has got me baffled but I need to find a solution.

The code for the login check is:


// Check password matches database for user

        string saltAndPwd = String.Concat(authPassword, authSalt);

        string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1");

        if (hashedPwd == authHash)

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,

            // Encrypt the ticket.
            string encTicket = FormsAuthentication.Encrypt(ticket);

            // Create the cookie.
            Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

            // User has logged in
            txtResult.Text = "Invalid login credentials!";

Open in new window

Any help or advice would be greatly appreciated.

Question by:Lee Redhead
  • 3
  • 2
LVL 15

Expert Comment

ID: 39556226
your code looks correct to me. I suspect the issue is with authHash.

To catch the issue, you need to add logging to your code:

Try to duplicate the variables in this line:

 if (hashedPwd == authHash)

To a log file(on webserver).

Author Comment

by:Lee Redhead
ID: 39556402
I am glad it is not me that has made a mistake with the code then. I did think it odd that this is affecting around 5% of all users.

The issue is most likely with authHash but that is the hash that is returned from the DB for the user so as long as they have entered their details correctly then it should allow them in.

My only explanation is that they can not be entering their details correctly but they insist they are.

I have added some code that will log a failed request and the two hashes so I can see if the issue is caused by a failure in the system and not just user error.

Tomorrow morning will tell.

Thank you.
LVL 16

Accepted Solution

Vikram Singh Saini earned 1500 total points
ID: 40056808
My only explanation is that they can not be entering their details correctly but they insist they are.

Let's test if it is true -

Log the user's entered credentials (username and password) in plain format and also log the hashed format for same.
Get list of some of the users who were reporting that it is failing.
Now for those users, check if their entered credentials and the hashed information is exactly the same each time with in database.

Now I'm suspecting (although not sure) that the hashing is not working properly. So you might ask why it is working for some and not for others. It is because hashing is not working same way each time as it should be (again a assumption).
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.


Author Closing Comment

by:Lee Redhead
ID: 40141891
Looking into this a bit further its would seem that there were occasions where the users where entering the completely wrong password. In some cases even though a password was emailed to them with instructions on copying and pasting and that it was case sensitive they would be using passwords that they had set for other systems.

Required adding some code to record the hash of the entered password for failed attempts for 24 hours and users that reported issues had totally different hashes to the one stored.

Thanks for the advice, turns out sending step by step instructions on logging in to a system is not guarantee that they will actually follow those instructions and taking their word for it is not always reliable either.
LVL 16

Expert Comment

by:Vikram Singh Saini
ID: 40141950
It's good to know that at least, in last, you were able to dig out true cause for weird issue.

Based on my coding experience, I never rely on user's words for software or website until I don't confirm it my way.

Author Comment

by:Lee Redhead
ID: 40141956
I think it was because we had about 15 or 20 people with the same issue. I kind of assumed that that number would be a fault and not just a lot of users not following instructions.

I shall be less naive in the future I think.

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
There is a wide range of advantages associated with the use of ASP.NET. This is why this programming framework is used to create excellent enterprise-class websites, technologies, and web applications.
How to fix display issue, screen flickering issue when I plug in power cord to the machine. Before I start explaining the solution lets check out once the issue how it looks like after I connect the power cord. most of you also have faced this…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question