0

I would like to use secure string to have a password in a variable. The password I get it from the database, because I am using hashed password and I need to compare the password given by the user and tha hashed password that I have in the database.

Well, I retrieve the password from the database, that is a hashed pssword. Is an string, so if I convert this string to a secure string, how I start from a string, that is unsecure, has it sense to convert it to secure string? because the string is exposed since I get it from the database and I store it in a string in a first moment.

How is the correct way to compare the stored password in the database and the password given by the user?

I am using a repository that do this work and the repository is executed in the local computer of the user, not in the server.

Thanks.

Álvaro García
  • 18,114
  • 30
  • 102
  • 193
  • I'm confused by the "executed in the local computer of the user" part - does that mean the database lives in the computer of the client? – mafu Jun 27 '14 at 10:35

1 Answers1

1

As you wrote, it would not make sense to convert an existing password string, the damage would already be done. However, since we are talking about the hash, not the password, it is in general fine to query that (please call me out if this is wrong).

But additionally, you can just as well simply ask the db for equality of the hashes instead of querying the existing hash.

Have a look at this question for more information, its accepted answer also has a lot of excellent links.

mafu
  • 31,798
  • 42
  • 154
  • 247
  • If I am not missunderstand, you suggest that in the client I do the hash of the password given by the user and the send a query to the database setting in the where something like where password = 'UserHashedPassword'? – Álvaro García Jun 27 '14 at 10:38
  • Yes, I think so. As far as I know, this is the usual pattern. But I suggest you have a look at the related questions, they should help :) – mafu Jun 27 '14 at 13:38