HiveBrain v1.2.0
Get Started
← Back to all entries
patterncsharpMinor

Retrieving a user's password for verification

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
userpasswordforretrievingverification

Problem

I am working on a log in form. Basically, my code searches for a user name, then retrieves the hashed password that is related to that account. It then converts that string hashed password then converts it to its real value. But my issue here is that it is messy.

private void userVerification() {

            //Instantiate Db
            DataClasses1DataContext myDbContext = new DataClasses1DataContext(dbPath);

            //Search for uservar search

            var hasher = new Hasher();
            //by default salt size is 4
            hasher.SaltSize = 16;

            var encryptedPassword = hasher.Encrypt(txtPassword.Text);

            var searchUser = from user in myDbContext.Accounts
                             where user.accnt_User == txtUser.Text 
                             select user.accnt_Pass;

            //Retrieves the first result.
            var password = searchUser.FirstOrDefault();

            //Check if there's a result or match
            if (searchUser.Count() != 0)
            {
                bool areEqual = hasher.CompareStringToHash(txtPassword.Text, password);

                if (areEqual = true)
                {
                    MessageBox.Show("CORRECT!");
                }
                else {
                    MessageBox.Show("Wrong password!");
                }
            }
            else {
                MessageBox.Show("No Such User in the database");
            }
        }

Solution

What I would correct in the code:

-
if anything goes wrong it's best to just display "Login incorrect", instead of specialized messages ('user not found' / 'incorrect passsword'). Giving too many details may lead to information leakage

-
searchUser is not a very good variable name. It in fact represents the result of a search, so I'd name it matchedUser. searchUser would be a good name for a query.

-
the encryptedPassword variable is assigned but never used. You could use it to compare against the password hash in the database

In the end, my code would look like this:

private void userVerification()
{
    var myDbContext = new DataClasses1DataContext(dbPath);

    var hasher = new Hasher { SaltSize = 16 };
    var encryptedPassword = hasher.Encrypt(txtPassword.Text);

    var matchedUser = myDbContext.Accounts
        .Where( user =>
                user.accnt_User == txtUser.Text &&
                user.accnt_Pass == encryptedPassword)
        .FirstOrDefault();

    if(matchedUser != null)
        MessageBox.Show("CORRECT!");
    else
        MessageBox.Show("Invalid user or password.");
}

Code Snippets

private void userVerification()
{
    var myDbContext = new DataClasses1DataContext(dbPath);

    var hasher = new Hasher { SaltSize = 16 };
    var encryptedPassword = hasher.Encrypt(txtPassword.Text);

    var matchedUser = myDbContext.Accounts
        .Where( user =>
                user.accnt_User == txtUser.Text &&
                user.accnt_Pass == encryptedPassword)
        .FirstOrDefault();

    if(matchedUser != null)
        MessageBox.Show("CORRECT!");
    else
        MessageBox.Show("Invalid user or password.");
}

Context

StackExchange Code Review Q#9404, answer score: 4

Revisions (0)

No revisions yet.