I'm working on a website (Classic ASP) where the database in SQL Server 2008, the previous developer did not encrypt or hash the user passwords, so I'm trying to resolve this, so my question is can I do this directly in SQL Server using HASHBYTES() and will the hashed values match the string sent if I use this on the client side -


On the database I would like to use

Open in new window

Also, I've read that I should use binary to store passwords is that correct, or in nvarchar OK,.. what size?

Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Walter RitzelSenior Software EngineerCommented:
My understanding is that you should have your website behind SSL and no hash on client side, because the hash algorithm is dependent on machine information (mac address, etc.), so something hashed on one machine will not be able to be equal to the same string hashed on another machine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garethtnashAuthor Commented:
Thank you
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
What Walter is saying is correct, but I don't see how it answers your question.  I have the start of password system from another question http://www.experts-exchange.com/Programming/Languages/Scripting/ASP/Q_28641013.html and am currently working on a detailed article for this.

The answer is you can use sql server to create your hash.  Let's say somebody creates a password of "Password123".  What you will want to do is create a stored proc that hashes and hopefully salts the password https://msdn.microsoft.com/en-us/library/ms174415.aspx.

Now that the password is created, when the user goes to log in, you can create another stored proc that looks up the user table by the username, then runs the password hashing algo and matches the result to what is stored in the database.  If it is a match, then you can proceed to be logged in.

Walter is correct that you want to use ssl and you don't want to run your hashing algo in the client side because of course that means everybody can see it.  

If you can wait a few days, I will have a detailed article on this for classic asp although I am using an sha256 function do to this all in asp/vb.  But it could be done in sql server too.

Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.