I have a database on a cpanel server, which contains a user field called 'password'. When I look at the field through phpmyadmin, all the passwords appear as md5 encrypted.
So for example, a password thats '12345' would be encrypted and appearing in the database as "e10adc3949ba59abbe56e057f20f883e".
Now, on the original server, thats ok, because even if the password is encrypted in database, when I enter the password on the related website as '12345' it recognizes it and gives access.
The problem is when I export and import the database. After importing the same database into another server, naturally the password values are still encrypted in the database. But, when I try logging in into the related website, the decrypted password, tht is, '12345' does not work anymore. I have to enter the password as "e10adc3949ba59abbe56e057f20f883e" and only then I can login. So I'm guessing the problem is that the data in the password column is not getting decrypted after importing to another database, hence when I enter '12345' instead of the extended md5 value, it does not match and gives me a wrong password error.
So can anyone help me solve this issue? I am supposed to migrate this website on another server, and its a school system, and currently none of my users have access because of this issue.
Thanks.
md5 is not encryption, it's a one-way hash. You cannot find the original value from a hash.
On the second server, if the e10adc3949ba59abbe56e057f20f883e password works, the only reason I see, is that the application is not comparing the hash of the input value it received from the user, it's comparing the input value itself.
Related
I have two questions that i cannot find an answer for.
I have already searched a lot.
The situation
I will deploy C# winforms application to a client, the app have users who should connect to my database on whatever host is to validate they are already logged in to prevent the same user from being logging again from other PCs, so basically when the user logs in the app sent a command to my DB that the XYZ user has been logged in.
The questions
First one and the most important one: how to access my MSSQL server from the client side without putting in the connection string because as you know someone may decompile the app and find the user and password, so basically how to TOKENIZE or ENCRYPT the sql connection string (may then will be decrypted in SQL server but i don't know how too)
The second question is: how effectively implement the above situation, as you know it is easy to send commands that hey I'm logged in and hey I'm logged out (when the user click log out) BUT... What if the electricity went off? the app will not have the chance to send log out command to my server and therefore the user will be LOGGED IN in my server even he is actually not.
Hopefully i do describe my questions properly.
I need to develop in a .NET Application using SQL Server Stored Procedures a validation for passwords.
I've already developed the first validations (uppercase,lowercase,number,etc) but now i need to check that the Passwords must not contain the user's account name or parts of the user's full name that exceed three consecutive characters but i don't know how to do this in SQL (in a stored procedure), maybe with regular expression?
I have searched since this is usually very typical in password validation, but I have not found anything in SQL Server
any ideas about this?
Thanks & Regards!
That is defiantly not the right password protection.
First of all sending critical data unencrypted to the server is not a good idea. Your data must me unencrypted on the assumption that you are performing validations on the server rather than the client through stored procedures. Second if you still want that then use regular expressions for validataion. Third you will have to log all the old passwords in the database. then check latest 6 if match then send message else change the password.
Rather what you should do is :
To do in .Net code you should hash the password and then fetch the hashed password from the server and compare. Log all the hashed passwords in the database. Fetch last 6 passwords and compare with the hashed password ( of course trying all the salts in old passwords as different salts give different results ) entered. If match warn else store password.
I have Tableplus and it it connects and runs queries on a SQL Server database just fine.
When I replicate those connection settings exactly in Datagrip, it fails to connect and complains the username and password are incorrect. I have tried several times and been very thorough in checking that I'm entering the exact same usernames and passwords into both.
What am I doing wrong here?
can you share a little more in-terms of what you're entering in the other places. I use DataGrip for SS as well. I enter the IP for Host, port, then username and password without assigning the username to any instance something\username <-- ex, password obviously. Doublecheck the Database field, you can just leave it blank, it might be trying to route you to a specific database that those credentials don't have access to, so try either leaving it blank, or assigning it specifically. Then make sure the URL in the last box lines up with what you entered, sometimes it doesn't ... oddly enough.
I have no issues with windows authentication. However, using sql server authentication and selecting to save my password on the connection properties seems to work fine to pull up the databases and tables of a particular sql server instance, but when I try to drag and drop table objects into the object relational designer I get the following error...
"Failed to retrieve data for this request. Failed to connect to server (local). Login failed for user 'myusername'".
I've tried changing some advanced settings such as "authentication = sql password" to no avail. As far as I can tell, it is not storing my password in the connection string and I cannot find any way to manually change this. It forces me to use the dialog box to make changes to the connection string. My password is entered but is just ********* so ultimately it seems it really is not remembered (even though I've checked that box) and thus why i'm getting the login errors when dragging and dropping tables.
Does anyone know a workaround or fix....or if I'm missing something obvious. In the past (VS2013, VS2015) I don't remember having this issue.
Note that the string looks proper in the app.config file but still does not allow me to drag and drop tables from object explorer.
i have a column of varbinary(max) type and used a salt of nvarchar(60) type that is generated randomly. I saved the salt in db and saved password using hashbyte(password+ salt).
Now I want to compare user password and authenticate him.
I tried taking his password and running this query--
SELECT [email] from admin where
[password]=HashBytes('SHA1','xxxxxx' +'/KsDnXdU+_a<t19wYCnEi/lxmXmAutR3DVA$#]~dSBskRMB?sb#41+=MFRpE')
It is not returning me email. I ran it directly on sql server management studio. But It gave me blank. Why is it so?
When im selecting by email im getting role, this means email is registered.
Is something wrong in my salt or query?
I fixed it. Actualy adding salt directly was causing me a bug, though it was getting added directly and hash was computed and no error was returned from sql server.
When i ran this query
Select role from admin where salt='/KsDnXdU+_a<t19wYCnEi/lxmXmAutR3DVA$#]~dSBskRMB?sb#41+=MFRpE'
I got no result. I realised, it was some Conversion problem. I used then Convert(nvarchar(60),'%?r>%Vb+$hUZO8}=38/_J[#q#1mf^rz!V&q~\dLH5nQ&/edR\c[6ya|q$e%r')
and ran my query as
SELECT [email] from admin where
[password]=HashBytes('SHA1', 'xxxxxx'+Convert(nvarchar(60),'%?r>%Vb+$hUZO8}=38/_J[#q#1mf^rz!V&q~\dLH5nQ&/edR\c[6ya|q$e%r'))
This returned me email. I am really not sure why this happened, but using sqlserver 2005, and above query i fixed it. I request moderators, If it is any bug in sql server 2005, please do let other know.
You need to use the same code when reading and when writing:
INSERT INTO dbo.admin (email, password, salt)
VALUES(#email,HashBytes('SHA2_512',#password+#salt),#salt);
and
SELECT email FROM dbo.admin
WHERE password = HashBytes('SHA2_512',#password+salt);
The only difference is that the select references the stored salt instead of a passed in salt.
You also should use the SHA2 algorithm as SHA1 is not secure anymore (http://www.md5decrypter.co.uk/sha1-decrypt.aspx). For SHA2_512 your column needs to be 64 bytes (http://msdn.microsoft.com/en-us/library/ms174415.aspx). You should use the specific length instead of (MAX) if possible.
As Aaron noted, SHA2 is not supported before SQL 2012. You can use a CLR implementation instead. This can get you started: http://geekswithblogs.net/hroggero/archive/2009/09/19/strong-password-hashing-with-sql-server.aspx However, it is using only 256 bits.