How to compare encrypted password in database with newly entered password during login?

Question

Im doing a registration and login form where I already encrypted the password when user entered the password in registration phase. So for login I know that I need to compare the encrypted password in database with the newly entered encrypted password during login. I dont know if im missing some code or im writing the wrong code. I know that this question have been asked few times but I hope I can get some help here. The error that im getting is just a message where Failed to Connect to Database

I already found the solution C# encrypted Login and try to follow the code but still, it have error.

           If PasswordTextBox1.Text = "" Or UsernameTextBox2.Text = "" Then
        MessageBox.Show("Please fill-up all fields!", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)

        'Clear all fields
        PasswordTextBox1.Text = ""
        UsernameTextBox2.Text = ""

        'Focus on Username field
        UsernameTextBox2.Focus()

    Else
        'Connect to DB
        Dim conn As New System.Data.OleDb.OleDbConnection()
        conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" + "C:\Users\user1\Documents\Visual Studio 2010\Projects\Crypto\Crypto\crypto.accdb"

        Try
            'Open Database Connection
            conn.Open()

            Dim sql As String = "SELECT Password FROM registration WHERE Username='" & Encrypt(UsernameTextBox2.Text) & "'"

            Dim cmd As OleDbCommand = New OleDbCommand(sql, conn)
            Dim sqlRead As OleDbDataReader = cmd.ExecuteReader()
            Dim password As String = cmd.ExecuteScalar().ToString().Replace("", "")

            If (password = Encrypt(PasswordTextBox1.Text)) Then

                PasswordTextBox1.Clear()
                UsernameTextBox2.Clear()

                'Focus on Username field
                UsernameTextBox2.Focus()
                Me.Hide()
                Mainpage.Show()
            Else
                LoginAttempts = LoginAttempts + 1
                If LoginAttempts >= 3 Then
                    End
                Else
                    ' If user enter wrong username or password
                    MessageBox.Show("Sorry, wrong username or password", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Error)

                    'Clear all fields
                    PasswordTextBox1.Text = ""
                    UsernameTextBox2.Text = ""

                    'Focus on Username field
                    UsernameTextBox2.Focus()
                End If
            End If
        Catch ex As Exception
            MessageBox.Show("Failed to connect to Database", "Database Connection Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
            'Clear all fields
            PasswordTextBox1.Text = ""
            UsernameTextBox2.Text = ""
        End Try
    End If

End Sub

I expecting that the encrypted password in database can be matched with the newly entered password so that user can login into the system.

Can you add in the question, what error you are getting, please? — JayV, May 25 '19 at 05:52
why don't you encrypt the password on login and see if it matches using same Encrypt() function on registration? since encryption with the same method will give same encrypted password — OctaCode, May 25 '19 at 06:16
@Devcon aah im so noob. i never thought about that. My code is working now. Thanksss — asa, May 25 '19 at 09:17

score 2 · Answer 1 · edited May 25 '19 at 09:02

Here's what usually happens. When the user registers, you get them to provide a user name and a password, as well as confirming the password. The idea of the confirmation is that the password is usually masked and you want to ensure that they don't lock themselves out of their account by saving a typo. You then hash the password provided with salt and save the user name with the salt and hash. When the user logs in, you get the salt for that user and hash the password provided with that, then compare that to the hash stored in the database. If the hashes match, the user is successfully authenticated.

Hashing is considered preferable to encryption because it is one-way, so no one can reverse-engineer a password from a hash except by brute force. The salt provides extra security because two users with the same password will still not have the same hash. This means that, if the user forgets his password, the system cannot send the existing password to him because it doesn't know what it is. The user has to create a new password in that case. If you use the forgotten password feature of a web site or the like and they tell you what your current password is, they are using inferior security. If they make you create a new password then they are almost certainly using hashing.

There is lots of information about hashing and salting on the web. It's also worth noting that ASP.NET Identity (which can be used outside ASP.NET apps if you want) has password hashing built right in.

How to compare encrypted password in database with newly entered password during login?

1 Answers1