views:

154

answers:

2

I've got a Users table and the HashedPassword column is of the binary(16) type. It's used to store an MD5 hash. To generate the hash I created a couple of stored procedures: CreateUser, EditUser and LoginUser. They have a parameter that accepts a password in plaintext, convert it to the MD5 hash and store/lookup the hash in the table.

The problem is how do I fit this in with the entity framework? I tried creating an extra 'password' field in the User entity and then I would connect that field with the stored procedures but I get an error saying that this new Password field is not connected to a column in the Users table.

I just starting working with Entity Framework so I'm probably missing something obvious. Maybe I should keep the hash generation code in .net instead of the database.

+1  A: 

Have you had a look at the Membership framework? It handles all the unpleasantness of Users, Passwords, Logins, Roles and much more.

Also, as I've been adminished in prior posts, MD5 is not secure. AES or BCrypt are more secure ways to hash today.

Bob Kaufman
I only need to have 2 administrators let access to the site. Using the membership framework is a bit overkill and provides too much functionality that I don't need.Also, using MD5 in this situation together with a salt value is secure enough. The situtations where MD5 was proven to be insecure was when those hashes were publically available. When hackers see my hashes it means the whole database is compromised.
ZippyV
+1  A: 

I think the simplest way is as you suggested: to keep the hash generation code in .net.

Not sure if it's possible to configure EDM to work as you want, but decoupling the security logic, data access layer and storage layer sounds like logic to me.

Misha N.