In C#, there's a method called VerifyHashedPassword(). This does not take a hashing algorithm. In T-SQL, there's a method HashBytes(), which does require that you pass the hashing algorithm.
I am updating a program, and I need to verify the user's password. I have the table of hashed passwords, but I do not know what algorithm was used, only that the C# code uses VerifyHashedPassword, which does not take an algorithm parameter.
What algorithm can I pass to HashBytes() which will match what VerifyHashedPassword uses?
Edit: It is obvious that the suggested question does not answer my question. It is difficult to understand why anyone would have thought that it did.
You will probably NOT be able to use the SQL
HashBytes()method to replicate the process, because you don't know the salt. And if you did know the salt, the whole point of modern algorithms is they are tunable, and you don't know the tuning factor used. And even if you knew the tuning factor, the newer tunable algorithems are not yet supported byHashBytes().But the info you want is it uses the
Rfc2898DerivedBytestype, which includes this in the documentation:The output of a password hashed this way will also include a random salt as part of the result. The
VerifyHashedPassword()then takes this value and separates the salt (and any other metadata, like the tuning factor) from this input value and uses it to duplicate the original hash process on the attempted password. Then it can compare the hashes to give a valid/invalid result.You should continue to use that process, if possible. Password validation is not typically done in the database itself.