How to hash a password in asp.net core and use it in a stored procedure

Jose Daniel Navarro Brito 61 Reputation points
2024-09-12T16:57:36.7066667+00:00

Hi there;

There are a lot of examples of SQL stored procedures for User Validations (credential checks) but all of them the password is in text format which is bad security practice. The idea is to hash the password in the client side ( in this case is an ASP.NET Core Wen application) so it can "travel" safe until it reaches the stored procedure. The issue is that I want inside the stored procedure there is a sub-routine that checks if any existing password is identical to the one I'm submitting

IF EXISTS (SELECT TOP 1 UsuarioId FROM [Development].[dbo].[Usuarios] WHERE(HASHBYTES(N'SHA2_256', @Password) =HashedPassword ))

      SET @Message='This Password is already registred in the database...Try another one';    

The above T-SQL piece of code works with the default hash password that comes with the ASP.NET CORE identity class. However I'm using Dapper as custom user store, hence I'm not sure whether I have to create a procedure to hash the password or not ...Please assist

Regards

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,612 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,998 questions
ASP.NET API
ASP.NET API
ASP.NET: A set of technologies in the .NET Framework for building web applications and XML web services.API: A software intermediary that allows two applications to interact with each other.
343 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Greg Low 1,770 Reputation points Microsoft Regional Director
    2024-09-13T02:42:57.9233333+00:00

    You should never let a user know that a password they're suggesting is already in use in the database.
    This is a great example of why you should never "roll your own" with authentication code. And you should no longer be storing passwords in the DB, hashed or not.

    Instead, use an external service like Microsoft Entra ID, Google, etc. to do the authentication phase. Doing it yourself nowadays is a mistake.

    It's easy to use options like Microsoft's B2C in your app, particularly in ASP.NET Core, and drastically more secure.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.