user fails to login after changing password and store it in an encrypted format in the database.

mush 181 Reputation points

I'm trying to implement change password for user in the problem I'm facing is that after changing the password and save it in encrypted format in the database the user can no longer login unless he enters the encrypted password.

My aspx:

<asp:TextBox ID="txtNewPwd" cssclass="form-control" runat="server" TextMode="Password" Width="206px" ControlToValidate="txtNewPwd">  

My vb code behind:

 Protected Sub btnSubmit_Click(sender As Object, e As EventArgs) Handles btnSubmit.Click  
                Dim strpass As String = encryptpass(txtNewPwd.Text)  
                Dim rowsAffected As Integer = 0  
                Dim con As New SqlConnection(ConfigurationManager.ConnectionStrings("dbconnection").ConnectionString)  
                Dim cmd As New SqlCommand("update CRMSUsers set password=@pwd where username=@uname", con)  
         cmd.Parameters.AddWithValue("@pwd", strpass)  
 cmd.Parameters.AddWithValue("@uname", txtUserName.Text)  
 cmd.Connection = con  
 rowsAffected = cmd.ExecuteNonQuery()  
            If rowsAffected > 0 Then  
               some msg     
               some msg    
            End If end sub  


Public Function encryptpass(ByVal password As String) As String  
            Dim msg As String = ""  
            Dim encode As Byte() = New Byte(password.Length - 1) {}  
            encode = Encoding.UTF8.GetBytes(password)  
            msg = Convert.ToBase64String(encode)  
            Return msg  
        End Function  

A set of technologies in the .NET Framework for building web applications and XML web services.
1,717 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
11,593 questions
An object-oriented programming language developed by Microsoft that is implemented on the .NET Framework. Previously known as Visual Basic .NET.
2,401 questions
0 comments No comments
{count} votes

Accepted answer
  1. Tom Phillips 17,686 Reputation points

    What you are using is a very old method and not very secure.

    I suggest you read this:

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Olaf Helper 36,091 Reputation points

    user can no longer login unless he enters the encrypted password.

    You show the code to save an encryted password, but how the login code looks like to valid the password; do we have to guess it?

  2. Bruce ( 48,561 Reputation points

    besides your code not working, it is so full of security holes, it would fail any security audit. this is why unless you understand security, you should use the supplied user identification and password management libraries.

    0 comments No comments