Asp.net: user fails to login after changing password and store it in an encrypted format in the database.

mush 181 Reputation points
2022-03-28T07:14:46.383+00:00

I'm trying to implement change password for user in asp.net. the problem I'm facing is that after changing the password and save it in encrypted format in the database the user can no longer login unless he enters the encrypted password.

My aspx:

<asp:TextBox ID="txtNewPwd" cssclass="form-control" runat="server" TextMode="Password" Width="206px" ControlToValidate="txtNewPwd">  
</asp:TextBox>  
                              

My vb code behind:

 Protected Sub btnSubmit_Click(sender As Object, e As EventArgs) Handles btnSubmit.Click  
                Dim strpass As String = encryptpass(txtNewPwd.Text)  
                Dim rowsAffected As Integer = 0  
                Dim con As New SqlConnection(ConfigurationManager.ConnectionStrings("dbconnection").ConnectionString)  
          
                Dim cmd As New SqlCommand("update CRMSUsers set password=@pwd where username=@uname", con)  
          
         cmd.Parameters.AddWithValue("@pwd", strpass)  
 cmd.Parameters.AddWithValue("@uname", txtUserName.Text)  
 cmd.Connection = con  
 con.Open()  
 rowsAffected = cmd.ExecuteNonQuery()  
 con.Close()  
  
            If rowsAffected > 0 Then  
      
               some msg     
            Else  
               some msg    
      
            End If end sub  

 

Public Function encryptpass(ByVal password As String) As String  
            Dim msg As String = ""  
            Dim encode As Byte() = New Byte(password.Length - 1) {}  
            encode = Encoding.UTF8.GetBytes(password)  
            msg = Convert.ToBase64String(encode)  
            Return msg  
        End Function  




 
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,504 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,948 questions
VB
VB
An object-oriented programming language developed by Microsoft that is implemented on the .NET Framework. Previously known as Visual Basic .NET.
2,733 questions
0 comments No comments
{count} votes

Accepted answer
  1. Tom Phillips 17,736 Reputation points
    2022-03-28T12:58:35.973+00:00

    What you are using is a very old method and not very secure.

    I suggest you read this:

    https://chandradev819.wordpress.com/2011/04/11/how-to-encrypt-and-decrypt-password-in-asp-net-using-c/

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Olaf Helper 45,016 Reputation points
    2022-03-28T07:23:31.96+00:00

    user can no longer login unless he enters the encrypted password.

    You show the code to save an encryted password, but how the login code looks like to valid the password; do we have to guess it?


  2. Bruce (SqlWork.com) 66,061 Reputation points
    2022-03-29T20:23:33.317+00:00

    besides your code not working, it is so full of security holes, it would fail any security audit. this is why unless you understand security, you should use the supplied user identification and password management libraries.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.