patterncsharpMinor
Retrieving a user's password for verification
Viewed 0 times
userpasswordforretrievingverification
Problem
I am working on a log in form. Basically, my code searches for a user name, then retrieves the hashed password that is related to that account. It then converts that string hashed password then converts it to its real value. But my issue here is that it is messy.
private void userVerification() {
//Instantiate Db
DataClasses1DataContext myDbContext = new DataClasses1DataContext(dbPath);
//Search for uservar search
var hasher = new Hasher();
//by default salt size is 4
hasher.SaltSize = 16;
var encryptedPassword = hasher.Encrypt(txtPassword.Text);
var searchUser = from user in myDbContext.Accounts
where user.accnt_User == txtUser.Text
select user.accnt_Pass;
//Retrieves the first result.
var password = searchUser.FirstOrDefault();
//Check if there's a result or match
if (searchUser.Count() != 0)
{
bool areEqual = hasher.CompareStringToHash(txtPassword.Text, password);
if (areEqual = true)
{
MessageBox.Show("CORRECT!");
}
else {
MessageBox.Show("Wrong password!");
}
}
else {
MessageBox.Show("No Such User in the database");
}
}Solution
What I would correct in the code:
-
if anything goes wrong it's best to just display "Login incorrect", instead of specialized messages ('user not found' / 'incorrect passsword'). Giving too many details may lead to information leakage
-
searchUser is not a very good variable name. It in fact represents the result of a search, so I'd name it
-
the
In the end, my code would look like this:
-
if anything goes wrong it's best to just display "Login incorrect", instead of specialized messages ('user not found' / 'incorrect passsword'). Giving too many details may lead to information leakage
-
searchUser is not a very good variable name. It in fact represents the result of a search, so I'd name it
matchedUser. searchUser would be a good name for a query.-
the
encryptedPassword variable is assigned but never used. You could use it to compare against the password hash in the databaseIn the end, my code would look like this:
private void userVerification()
{
var myDbContext = new DataClasses1DataContext(dbPath);
var hasher = new Hasher { SaltSize = 16 };
var encryptedPassword = hasher.Encrypt(txtPassword.Text);
var matchedUser = myDbContext.Accounts
.Where( user =>
user.accnt_User == txtUser.Text &&
user.accnt_Pass == encryptedPassword)
.FirstOrDefault();
if(matchedUser != null)
MessageBox.Show("CORRECT!");
else
MessageBox.Show("Invalid user or password.");
}Code Snippets
private void userVerification()
{
var myDbContext = new DataClasses1DataContext(dbPath);
var hasher = new Hasher { SaltSize = 16 };
var encryptedPassword = hasher.Encrypt(txtPassword.Text);
var matchedUser = myDbContext.Accounts
.Where( user =>
user.accnt_User == txtUser.Text &&
user.accnt_Pass == encryptedPassword)
.FirstOrDefault();
if(matchedUser != null)
MessageBox.Show("CORRECT!");
else
MessageBox.Show("Invalid user or password.");
}Context
StackExchange Code Review Q#9404, answer score: 4
Revisions (0)
No revisions yet.