ASP.NET MVC 3 app, BCrypt.CheckPassword failing

Question

I\'m working on implementing security in an ASP.NET MVC 3 application, and am using the BCrypt implementation found here to handle encryption and verification of passwords.

Answer 1

Forgive me if I'm missing something, but looking at your hash and your model you don't seem to store the salt anywhere, instead you use a new salt each time.

So when the password is set you must store both the hash and the salt; when you want to check an entered password you retrieve the salt, compute the hash using it, then compare against the stored one.

Answer 2

I had the same problem. BCryptHelper.CheckPassword always returns false

I found that the the hashed string was stored in the db as a nchar(). This caused the check to always fail. I changed this to char() and it works.

Answer 3

HttpUtility.HtmlDecode() is used when the user is created, before the password is originally hashed:

Password = Password.Hash(HttpUtility.HtmlDecode(registration.Password)),

However, HttpUtility.HtmlDecode() is not used when later when comparing password to hash, in

var authorized = _repository.CredentialsAreValid(HttpUtility.HtmlDecode(login.username), login.password);

Perhaps a slight change to:

var authorized = _repository.CredentialsAreValid(HttpUtility.HtmlDecode(login.username), HttpUtility.HtmlDecode(login.password));

I realize this is an older question but I'm contemplating using BCrypt and this question raised a potential flag for me so I'm interested in knowing if this resolves this issue. I apologize, I'm not in a position at the moment to verify my answer, but I hope it helps.