Converting VARBINARY back to a string
in [CSharp]
|
From: C. on 19 May 2010 13:36 Hey all, I'm dealing with a legacy ASP app, and I believe to prevent passwords from being casually observed in the database, the developer converted the password to VARBINARY: qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '" & newPassword & "' ), " ***SNIP**** I now have to ensure those passwords conform to our new security policy before a migration. How does one convert a VARBINARY type back to a string in C#?
From: C. on 19 May 2010 13:46 Silly me, I figured out that i should simply do a reverse conversion as I pull the field out. Move along, nothing to see here.
From: Jeff Johnson on 19 May 2010 13:48 "C." <hardieca(a)hotmail.com> wrote in message news:df8dbcb3-3607-47d7-9f1f-72eeb92516dc(a)f13g2000vbm.googlegroups.com... > I'm dealing with a legacy ASP app, and I believe to prevent passwords > from being casually observed in the database, the developer converted > the password to VARBINARY: > > qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '" & > newPassword & "' ), " > > ***SNIP**** > > I now have to ensure those passwords conform to our new security > policy before a migration. How does one convert a VARBINARY type back > to a string in C#? What is the data type of the Password column?
From: Patrice on 19 May 2010 14:00 Hello, > qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '" & > newPassword & "' ), " Just the other way round... Try : DECLARE @t VARCHAR(100) DECLARE @b VARBINARY(100) SET @t='Some text...' SET @b=CONVERT(VARBINARY(100),@t) SELECT @b,CONVERT(VARCHAR(100),@b) Are you sure this is how it was done ? If yes it looks quite a naive protection measure. Someone knownledgable enough to get at the db will likely have no problem converting back such a value to text... If you are currently taking additional safety measures you may want to try : http://anastasiosyal.com/archive/2008/04/23/quick-tip-use-hashbytes-to-create-a-hash-in-tsql.aspx and make sure to check the comments for a quick yet quite up to the point overview of password "hashing"... -- Patrice
From: Arne Vajhøj on 19 May 2010 18:17 On 19-05-2010 13:36, C. wrote: > I'm dealing with a legacy ASP app, and I believe to prevent passwords > from being casually observed in the database, the developer converted > the password to VARBINARY: > > qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '"& > newPassword& "' )," > > ***SNIP**** > > I now have to ensure those passwords conform to our new security > policy before a migration. How does one convert a VARBINARY type back > to a string in C#? 1) You should use Parameters and then you can set a byte array. 2) You should preferably not store the password at all but instead store a hash (like SHA-256) of it - or at least encrypt it - what you do is nothing. Arne
|
Pages: 1 Prev: How to overcome Process.Start limitation Next: ComboBox.Text gets reset between event calls |