How to verify encrypted passwords with user input passwords in the database?

Asked

Viewed 982 times

1

I am creating a program in which the user will put the login and password before entering the system,and after he put his input,the passwords will be saved in the database,and then I will check if the encrypted passwords match the user inputs.

Example :

The user has typed :

username : 123456

password : 123456

And after this, :

username : E10ADC3949BA59ABBE56E057F20F883E

password : E10ADC3949BA59ABBE56E057F20F883E

After this will be saved in the database,but there I want to check when the user re-enter the same password,check if it is equal and matches the generated hash.

I am making this program that generates the hash in Java and will be used in html,.

How can I do this ?

3 answers

4


I’ll use the following. I write the user password in hash form and when I will validate this password I will hash the user input and compare this input hash with what is stored in the database

Validation using a function, I did the example on Oracle. the function receives the password and login (which will surely be unique in its table) Voce passes the password already applied the hash to the function and it returns 0 to false and 1 to true. Here I compare the encrypted passwords.

CREATE OR REPLACE FUNCTION FN_VALIDAR_ACESSO(P_SENHAASH IN VARCHAR2, P_LOGIN IN VARCHAR2) RETURN  NUMBER IS
V_RETORNO NUMBER(1);
V_CONTADOR NUMBER(2);
BEGIN

SELECT COUNT(*) INTO V_CONTADOR 
FROM PCEMPR 
WHERE USUARIOBD = P_LOGIN 
AND SENHABD = P_SENHAASH;

IF V_CONTADOR = 0 THEN
V_RETORNO := 0;-- 0 PARA FALSE
ELSE
V_RETORNO := 1;-- 1 PRA TRUE
END IF;



RETURN V_RETORNO;
END;

His Code :

Create procedure funcaoValidar
@username
@password
as 
begin
declare @existe int
set @existe = (select count(*) 
              from armazenarSenhas 
              where username = @username /*usar operador AND, virgula nao funciona..*/
              and password = @password)
if @existe > 0
print 'Login válido'
else
print 'Não há nenhum login válido'
end
  • But this input you compare you do manually or do by database ?

  • In the system I made, who generates the hash and my application, then I Gero to record and Gero to compare with what is recorded, Voce is generating this hash by BD ?

  • To populate the database, you can create a login validation function that receives the input that the user has already typed with the hash applied and compare with what is saved

  • So I’m using Java to generate the hash and then I’m recording the hash in the BD,now I’m wondering how to do the check,I’ll try to do it here the way you said it. But as soon as the user type the input is already generated the hash, so there is no way I can compare.

  • If you don’t succeed I’ll try to set an example here to see if it gives you an idea

  • I tried this, since the user input was already being generated right after he put the information,I created two variables that would take user input before being hashed and saved them in the database as well and then compared the password without being hashed with the generated password with the hash. Does this way work ?

  • more if you compare the password without hash with the password with the hash will always turn out false. I’ll make an example here you see if and what you want...

  • Okay, I thank you in advance for your help.

  • Hello friend, thanks for trying to help,but I’m doing even in Mysql and this code I thought will not help much.

  • ok, but try to see if logic helps you... and apply in the bank you are using.

  • Do you compare the password saved in the database already hashed with the user input ? Because I did something similar but I don’t know if it will work.

  • Yes, in this example there is exactly this.

  • I created a trial and posted, ?

  • Apparently yes, but I think there has to be a count in your select

  • Okay, I’ve changed the code.

  • I have no Mysql base here to test your code, I made some corrections there and posted, run and check if it will work...

  • Hello friend, I will test here this modified trial that you showed,but it seems to work,so I already gave +1 and also as a response that helped me.

Show 12 more comments

2

Since your hash generation algorithm generates the same values when applied over the same parameters, you can compare the encrypted user input with the encrypted bank value.

So according to your example when the user 123456 inform your data on the login screen you must make the comparison:

if ((meuGeradorDeHash(nomeUsuarioInformado) = nomeJaCriptografadoNoBanco) &&
    (meuGeradorDeHash(senhaUsuarioInformada) = senhaJaCriptografadaNoBanco)) {
    // login válido
}
  • I can also do with this example something similar in the database, no ? Because for Java I am only using to encrypt with MD5.

  • Yes, depending on the database already has native function to generate MD5 as well.

  • So, I’m creating a table that will store the values of the username and password,.

1

Complementing the answers, if your project is not specifically the hash generating algorithm, it is best to leave this function to specialized libraries, see Digestutils.

import org.apache.commons.codec.digest.DigestUtils;
...
String digest = DigestUtils.sha1Hex(data);
  • Hello friend, my project is specifically only to generate the hash and then pass the variables to the database for comparison between the generated hash and the user input.

  • So that’s what Emerson really said, having the method to generate the hash, you have to compare generating the hash again with what’s stored in the bank, you shouldn’t try to undo the hash, if you know what I mean.

  • Yes I understand,until with MD5 it is not possible to undo the encryption,I will try here what was explained in the answers.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.