tags:

views:

154

answers:

2
+1  Q: 

Hashed passwords and the entity framework

I've got a Users table and the HashedPassword column is of the binary(16) type. It's used to store an MD5 hash. To generate the hash I created a couple of stored procedures: CreateUser, EditUser and LoginUser. They have a parameter that accepts a password in plaintext, convert it to the MD5 hash and store/lookup the hash in the table.

The problem is how do I fit this in with the entity framework? I tried creating an extra 'password' field in the User entity and then I would connect that field with the stored procedures but I get an error saying that this new Password field is not connected to a column in the Users table.

I just starting working with Entity Framework so I'm probably missing something obvious. Maybe I should keep the hash generation code in .net instead of the database.

+1  A: 

Have you had a look at the Membership framework? It handles all the unpleasantness of Users, Passwords, Logins, Roles and much more.

Also, as I've been adminished in prior posts, MD5 is not secure. AES or BCrypt are more secure ways to hash today.

Bob Kaufman  2009-10-04 15:53:56
I only need to have 2 administrators let access to the site. Using the membership framework is a bit overkill and provides too much functionality that I don't need.Also, using MD5 in this situation together with a salt value is secure enough. The situtations where MD5 was proven to be insecure was when those hashes were publically available. When hackers see my hashes it means the whole database is compromised.
ZippyV  2009-10-05 20:58:55
+1  A: 

I think the simplest way is as you suggested: to keep the hash generation code in .net.

Not sure if it's possible to configure EDM to work as you want, but decoupling the security logic, data access layer and storage layer sounds like logic to me.

Misha N.  2009-10-04 17:08:25

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?