BCrypt Hashed Password Truncated in The Database

StackOverflow https://stackoverflow.com/questions/9280916

Question

I'm using .Net implementation of BCrypt for storing passwords in the database. The password column is VARCHAR(MAX)

This is the code that updates the Password via stored procedure: 

Update [User] 
Set [Password]= @NewPassword, 
ModifiedOn = GetDate(),
ModifiedBy = 'PasswordChanger'
Where [UserName] = @UserName

For some users, the password gets truncated. An example after truncation is: $2a$12$XM2

This is not the case always.

Please help me understand what could cause the truncation?

UPDATE:

Here is the C# code that calls the SP to update the password: 

string HashedPassword;
int NumberOfRowsAffected;
try
            {
                Database jss = DatabaseFactory.CreateDatabase();
                HashedPassword = BCrypt.HashPassword(txtPassword.Text, BCrypt.GenerateSalt(12));
                NumberOfRowsAffected = jss.ExecuteNonQuery("procUpdatePassword", GetLogin(HttpContext.Current.User.Identity), HashedPassword);
                if (NumberOfRowsAffected > 0)
                    lblStatus.Text = "Password updated.";
                else
                {
                    lblStatus.Text = "Password not updated for this user.";
                }

            }
            catch (Exception ex)
            {
                lblStatus.Text = "Password was not changed due to an error.";
                lblStatus.Text += ex.ToString();
            }
Était-ce utile?

La solution

  1. Please check your input parameter length of the password being used in Stored Procedure...
  2. Please check your Parameter length of the password being used in the C# function before calling making database request...

Finally, both side should be synchronized with the Table schema.

Sample Code...

using (SqlConnection con = new SqlConnection("Your Connection String"))
{
    using (SqlCommand cmd = new SqlCommand("Your Stored Procedure Name", con))
    {
        SqlParameter param = new SqlParameter();
        param.ParameterName = "Parameter Name";
        param.Value = "Value";
        param.SqlDbType = SqlDbType.VarChar;
        param.Direction = ParameterDirection.Input;
        cmd.Parameters.Add(param);
        cmd.ExecuteNonQuery();
    }
}

Note - If not explicitly set, the size is inferred from the actual size of the specified parameter value.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top