Compare password of webpages_membership in SQL Server query

Question

I have a web application done in ASP.NET MVC 4. It has users, that are stored in SQL Server database in tables webpages_UserProfile and webpages_Membership

Answer 1

Let's look at the second argument to PwdCompare (emphasis mine):

password_hash
Is the encryption hash of a password. password_hash is *varbinary(128)*.

So, if your column is storing the password in plain text, or is storing a string representation of the binary hash, it's not going to work. You should either change the column to be correct or you will need to convert it first, e.g. check this script:

SELECT PWDENCRYPT(N'mypassword');

Yields:

0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF

If we try to compare that value as a string, we get 0:

SELECT PWDCOMPARE(N'mypassword', N'0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF');

If we try to compare it as a varbinary value, we get 1:

SELECT PWDCOMPARE(N'mypassword', 0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF);

If you can't fix the table, then you can perform this expensive explicit conversion in your query every time (note that the trailing ,1 is important):

SELECT PWDCOMPARE(N'mypassword', 
  CONVERT(VARBINARY(128), N'0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF'
  , 1));