Introduction
This article shows how to change the hashed password of the valid user through its user id, which is saved in a database.
For the demonstration, I will:
- Get a table in the database that stores the login credentials of the user.
- Create a website and add a MD5 conversion file of JavaScript.
- Add a page in the website with 3 textboxes for User ID, Old Password and New Password and save button.
- Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.
- Add the code on the page load for creating a salt and send it the JavaScript function via attribute add of the save button and on the button click event to match the passwords and save the new password into the database.
Note: To learn more about the first point go to my previous article "Generate the Client-side Hash Via MD5 Algorithm and Saving to Database" (http://www.c-sharpcorner.com/UploadFile/a20beb/generate-the-client-side-hash-via-md5-algorithm-and-saving-t/).
Step 1
I have a table named "LoginTable" in the database that stores the login credentials of the user.
Step 2
Create a website and add a MD5 conversion file of JavaScript.
- Create an empty website named "LoginCredentials".
- Add a new Folder in the root and name it "Scripts". Add the "md5.js" into the "Scripts" folder.
Note: You can find the "md5.js" in the attached file.
Step 3
Add a page to the website with 3 textboxes for User ID, Old Password and New Password and a save button.
- Add a page named "ChangePassword.aspx".
- Add some controls on the page like:
- Text box for user id named "txtUserID".
- Text box for old password named "txtOldpwd" with TextMode="Password".
- Text box for new password named "txtNewpwd" with TextMode="Password".
- Button for login named "btn_save" with "onclick" event.
Step 4
Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.
- Add the reference of the MD5 conversion file on the page as in the following:
- <script src="Scripts/md5.js"></script>
- Create a JavaScript function to convert the plain password to the hashed password in the "head" section of the page as in the following:
- <script type="text/javascript">
- function ChangePwd(salt) {
- if (document.getElementById("txtOldpwd").value != "") {
- document.getElementById("txtOldpwd").value = hex_md5(document.getElementById("txtOldpwd").value);
- document.getElementById("txtOldpwd").value = hex_md5(document.getElementById("txtOldpwd").value + salt);
- }
-
- if (document.getElementById("txtNewpwd").value != "") {
- document.getElementById("txtNewpwd").value = hex_md5(document.getElementById("txtNewpwd").value);
- }
- }
- </script>
Note: "hex_md5" function exists in the "md5.js" file and here the conversion of the old password into a hash has been done 2 times, first to convert the plain text to a hash then the hashed text into a hash with salt for the matching. Convert the new password into a hash password.
Step 5
Add the code on the page load for creating the salt and send it the JavaScript function via the attribute add save button and on the button click event save the data.
- Create a method that will get the size of the salt and return a salt after generation via the random number generator cryptography technique.
- private string CreateSalt(int size)
- {
- RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
- byte[] buff = new byte[size];
- rng.GetBytes(buff);
- return Convert.ToBase64String(buff);
- }
- Get the value in the salt variable and add the JavaScript function with a salt parameter via attribute add of the save button.
- protected void Page_Load(object sender, EventArgs e)
- {
- if (!IsPostBack)
- {
-
- string salt = CreateSalt(5);
-
- Session["salt"] = salt.ToString();
-
- btn_login.Attributes.Add("onclick", "return ChangePwd ('" + salt.ToString() + "');");
- }
- }
- Get the hash password from the database, if the user id is valid. Then hash it again with an already generated salt and match it with the filled in old password by the user to check the authenticity of the user on the login button click event and if the old password matched then update the new password.
- protected void btn_Save_Click(object sender, EventArgs e)
- {
- if (txtUserID.Text != "" && txtOldpwd.Text != "")
- {
- object pwd;
- using (SqlConnection connection = new SqlConnection())
- {
- connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();
- connection.Open();
- SqlCommand cmd = new SqlCommand();
- cmd.Connection = connection;
- string commandText = "Select pwd from LoginTable where UserID='" + txtUserID.Text + "'";
- cmd.CommandText = commandText;
- cmd.CommandType = CommandType.Text;
- pwd = cmd.ExecuteScalar();
- cmd.Dispose();
- connection.Close();
-
-
- string hashed_pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(pwd.ToString().ToLower() + Session["salt"].ToString(), "md5");
-
-
- if (hashed_pwd.ToLower().Equals(txtOldpwd.Text))
- {
-
- connection.Open();
- commandText = "update LoginTable set pwd='" + txtNewpwd.Text + "' where UserID='" + txtUserID.Text + "'";
- cmd.CommandText = commandText;
- cmd.CommandType = CommandType.Text;
- cmd.ExecuteNonQuery();
- cmd.Dispose();
- connection.Close();
- Response.Write(" Password has been changed ");
- }
- else
- { Response.Write("Invalid User"); return; }
- }
- }
- }
At Run Time: After running the page, update the new password after authenticating the user and old password.
Type the valid user id and password.
Note: Here the valid User ID is "Admin", the old password is "abcd1234" and the new password is "test1234".
After updating the new password, see the response.
Result: And the password has been updated in the database.