1

We have been using PWDENCRYPT in our site to hash passwords - but want to change it to using HASHBYTES.

Is it possible to make this conversion automatic? I know that it is not possible to decrypt those strings - but what have I to consider to make this conversion?

Thanks in advance for an answer.

Dale K
  • 25,246
  • 15
  • 42
  • 71
Michael Eriksen
  • 167
  • 1
  • 3
  • 13
  • 2
    Why use either method? Any method would be weaker than [the built-in authentication providers used by all .NET/.NET Core stacks](https://learn.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity). The built-in providers would salt the password and hash it for *at least* 1000 times using a strong hash algorithm. The cleartext password would never be sent to the database. – Panagiotis Kanavos Jan 04 '21 at 14:09
  • .NET's [Rfc2898DeriveBytes](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rfc2898derivebytes?view=net-5.0) provides a standards based, secure way of generating hashes from passwords through salting, repeated hashing and strong message hashing algorithms. If you want to use a stronger hashing algorithm, you can do so by passing the desired algorithm as a constructor parameter – Panagiotis Kanavos Jan 04 '21 at 14:14
  • 2
    The point of hashing is that no one can get access to the original password. That's why it's called one way encryption. – Liam Jan 04 '21 at 14:14
  • @Liam Thanks for answering. But if we change algorithm - will the users have to retype their passwords because of the oneway encryption? And because of the missing decrypt function of passwords? – Michael Eriksen Jan 04 '21 at 14:26
  • 2
    Yes, like I said, hashed passwords are designed to be unrecoverable. It's designed that way so that if someone gets your data the passwords are unusable and it also prevents you (or anyone who has access to the data) to be able to see anyones passwords (as passwords get re-used). So there is no way to move from x hashed password to y. You'll have to come up with another solution – Liam Jan 04 '21 at 14:50

1 Answers1

1

I can't think of a way to directly convert between the two, but if you can modify the application code, one solution could be to gradually phase out the use of PWDENCRYPT.

When a user attempts to log in, check if their hashed password is stored with PWDENCRYPT or HASHBYTES. If the hash is stored with HASHBYTES, validate the entered password and log the user in. If the hash is stored with PWDENCRYPT (and validated) then promt the user to chose a new password before continuing. When the user has chosen a new password, hash it using HASHBYTES, and blank out the PWDENCRYPT hash.

After some time, most password-hashes will have been migrated to using HASHBYTES and you can disable the use of PWDENCRYPT. If a user who has not yet migrated attempts to log in, they will need to go through the "reset password" process (which of course should use HASHBYTES).

DISCLAIMER; if you can modify the application code, I strongly suggest that you instead use some of the built-in mechanisms for hashing and validating passwords, such as Microsofts own PasswordHasher.

Lars Kristensen
  • 1,410
  • 19
  • 29