How to hash a password in asp.net core and use it in a stored procedure

Question

Hi there;

There are a lot of examples of SQL stored procedures for User Validations (credential checks) but all of them the password is in text format which is bad security practice. The idea is to hash the password in the client side ( in this case is an ASP.NET Core Wen application) so it can "travel" safe until it reaches the stored procedure. The issue is that I want inside the stored procedure there is a sub-routine that checks if any existing password is identical to the one I'm submitting

IF EXISTS (SELECT TOP 1 UsuarioId FROM [Development].[dbo].[Usuarios] WHERE(HASHBYTES(N'SHA2_256', @Password) =HashedPassword ))

      SET @Message='This Password is already registred in the database...Try another one';    

The above T-SQL piece of code works with the default hash password that comes with the ASP.NET CORE identity class. However I'm using Dapper as custom user store, hence I'm not sure whether I have to create a procedure to hash the password or not ...Please assist

Regards

Answer 1

You should never let a user know that a password they're suggesting is already in use in the database.
This is a great example of why you should never "roll your own" with authentication code. And you should no longer be storing passwords in the DB, hashed or not.

Instead, use an external service like Microsoft Entra ID, Google, etc. to do the authentication phase. Doing it yourself nowadays is a mistake.

It's easy to use options like Microsoft's B2C in your app, particularly in ASP.NET Core, and drastically more secure.