1

I am currently updating a web site to authenticate from a HashBytes SHA2_512 SALT combination password.

My problem is that once I do this all my current users will no longer be able to login with their existing HashBytes SHA2_512 password.

Is there a way to decrypt(update) via SQL the current HashBytes SHA2_512 password with a HashBytes SHA2_512 SALT combination password.

Here's is an example of my select to verify.

//current which will no longer work once i have updated the page 

SELECT intcustomerid, strUserName, strUserPassword
FROM dbo.tblLoginControl WHERE strUserName = 'Dave' AND strUserPassword =HashBytes('SHA2_512', 'Rice205H*!')


//new one once I have update the page

SELECT [AccountName], [AccountPwd]
FROM [dbo].[SecurityAccounts] WHERE [AccountName]= 'Dave' AND [AccountPwd] =HashBytes('SHA2_512',  [Salt] +  'Rice205H*!')

So I need to take the existing password and update with Salt.

I'm not sure if this can be done and the only workaround would be to email my users and ask them to request a new password from the site?

Thanks.

raymantle
  • 121
  • 1
  • 14
  • @artjom Thanks. This may be the best route and less pain full to my users. I have have a look and reply shortly. – raymantle May 21 '16 at 18:04
  • 1
    This is a great example of why it is a good idea to prefix hashes with a version. – zaph May 21 '16 at 18:42
  • @zaph Can you explain by what you mean "prefix hashes with a version" – raymantle May 21 '16 at 20:39
  • 1
    If you add a version indicator then when (not if) it is necessary to change the scheme it is possible without the need to invalidate current implementations. This allows future-proofing and a gradual rollover to the new version. Note that several password hashing schemes use a `$x$` prefix where the `x` indicates a version. – zaph May 21 '16 at 22:21

1 Answers1

1

There's no way to "decrypt" a hashed password. Why don't you add a column (bit) where you store if the password is encrypted with salt or not.

Then it's just another conditon like:

AND ((isSalted = false 
      AND strUserPassword =HashBytes('SHA2_512', 'Rice205H*!'))
    or [AccountPwd] =HashBytes('SHA2_512',  [Salt] +  'Rice205H*!'))
dnoeth
  • 59,503
  • 4
  • 39
  • 56