How to replace one value with another when comparing 2 strings?

Question

Hi

My user have a password field such as “0!ZWQ2” saved in the database. I must unscramble my User input password from “aA1234” to “0!ZWQ2” and compare it to data in a database.

The 2 strings that I compare is:

“abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 ” With “9setybcpqwiuvxr108daj5'-`~!@#$%^&()+|}][{:.?/<>,;ZWQ2@#34KDA”

This way a = 9 and 0 = A

How would I do this in C#, any ideas?

I just need to take the password field from the user input and scramble it to funny text to compare it to the data in the Database.

Any help will be appreciated.

Regards Etienne

Updates: (10 Feb 2009) Thanks everyone for the replies. Please note that i do realize that there are much better ways of handeling this. But please note that I am creating an ASP.NET application thats goign to be sitting inside SharePoint connecting to Cobol flat file data and not a proper database. Using Transoft to connect my ASP.NET (ODBC connector) to the Cobol flat files. So i have to stick with this code, and this will not be used on my Private site. I also have no control on when the Password is created in Cobol.

Answer 1

Any special reason not to use a standard hash + salt for storing the passwords, instead of a Caesars cipher?

One way that should solve it (untested code):

new string("aA1234".ToCharArray().Select(c => ScrambleChars[OriginalChars.IndexOf(c)]).ToArray());

Answer 2

I'd write a Utility-class that contains an Encode or Translate method which takes the inputString and (checks for any bad/malicious input) transfigures it using your cipher-method.

return String.Compare(dbPassword, PasswordUtility.Encode(inputString));

Answer 3

You should not save the passwords in your database in a way that can be reversed. The database administrator or a hacker intruding your system should not be able to get the user's stored passwords.

Answer 4

Following is Quick, Fast, and lesser code example to convert.

Code in C#:

        char[] OriginalChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890".ToCharArray();
        char[] ScrambleChars = "9setybcpqwiuvxr108daj5'-`~!@#$%^&()+|}][{:.?/<>,;ZWQ2@#34KDART".ToCharArray();
        string TextToTransfer = "Hello";
        string NewText = "";
        foreach (char c in TextToTransfer)
        {
            NewText = NewText + ScrambleChars[Array.IndexOf<char>(OriginalChars, c)].ToString();
        }
        Console.WriteLine(NewText);

Code in VB:

    Dim OriginalChars() As Char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
    Dim ScrambleChars() As Char = "9setybcpqwiuvxr108daj5'-`~!@#$%^&()+|}][{:.?/<>,;ZWQ2@#34KDART"
    Dim TextToTransfer As String = "Hello"
    Dim NewText As String = ""
    For Each c As Char In TextToTransfer
        NewText += ScrambleChars(Array.IndexOf(OriginalChars, c))
    Next
    MsgBox(NewText)

Answer 5

Firstly, as other users have stated, if you are designing this system and password storage method then this method is almost worthless and there are many more secure methods that should be used instead.

However, the fact that you're asking for this to do comparison makes me think you do not have control over what is already in the database and therefore are working with something legacy.

The function below will take your users password as a string and return the database password as a string. One thing to note, the two strings you provided are not of equal length and therefore would crash for characters 9 and 0. I have added to additional letters B and C to the dbChars string. Also, I have "assumed" that any characters entered that cannot be found in the mapping characters are just appended as entered. You may require that these characters are ignored.

    private string DatabasePassword(string userPassword)
    {
        //Constants showing mapping between user password and database password
        const string userChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
        const string dbChars   = "9setybcpqwiuvxr108daj5'-`~!@#$%^&()+|}][{:.?/<>,;ZWQ2@#34KDABC";

        //Stringbuilder used to build the database password for output
        System.Text.StringBuilder databasePassword = new System.Text.StringBuilder();

        //Run through every character in the user password
        foreach (Char userChar in userPassword)
        {
            //Find the index of the user character in the userChars string.
            int userCharIndex = userChars.IndexOf(userChar);

            //if the userChar exists in the userChars string then map the character to the
            //equivalent database pasword character else just use the entered char
            char mappedChar = userCharIndex >= 0 ? dbChars[userChars.IndexOf(userChar)] : userChar;

            //Append mapped password to the output database password
            databasePassword.Append(mappedChar);
        }

        return databasePassword.ToString();
    }