Post
Ask Question

Change the MD5 Hashed Password of a Valid User

Introduction

This article shows how to change the hashed password of the valid user through its user id, which is saved in a database.

For the demonstration, I will:

  1. Get a table in the database that stores the login credentials of the user.
  2. Create a website and add a MD5 conversion file of JavaScript.
  3. Add a page in the website with 3 textboxes for User ID, Old Password and New Password and save button.
  4. Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.
  5. Add the code on the page load for creating a salt and send it the JavaScript function via attribute add of the save button and on the button click event to match the passwords and save the new password into the database.

Note: To learn more about the first point go to my previous article "Generate the Client-side Hash Via MD5 Algorithm and Saving to Database" (http://www.c-sharpcorner.com/UploadFile/a20beb/generate-the-client-side-hash-via-md5-algorithm-and-saving-t/).

Step 1

I have a table named "LoginTable" in the database that stores the login credentials of the user.

Select Query in SQL

Step 2

Create a website and add a MD5 conversion file of JavaScript.

  1. Create an empty website named "LoginCredentials".

    Creating Asp.Net Empty Website
     
  2. Add a new Folder in the root and name it "Scripts". Add the "md5.js" into the "Scripts" folder.

    Javascript File

    Note: You can find the "md5.js" in the attached file.

Step 3

Add a page to the website with 3 textboxes for User ID, Old Password and New Password and a save button.

  1. Add a page named "ChangePassword.aspx".

    Adding Web Form
     
  2. Add some controls on the page like:
     
    • Text box for user id named "txtUserID".
    • Text box for old password named "txtOldpwd" with TextMode="Password".
    • Text box for new password named "txtNewpwd" with TextMode="Password".
    • Button for login named "btn_save" with "onclick" event.

    Web Form Design Form

Step 4

Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.

  1. Add the reference of the MD5 conversion file on the page as in the following:
    1. <script src="Scripts/md5.js"></script> 
  2. Create a JavaScript function to convert the plain password to the hashed password in the "head" section of the page as in the following:
    1. <script type="text/javascript">  
    2.     function ChangePwd(salt) {  
    3.         if (document.getElementById("txtOldpwd").value != "") {  
    4.             document.getElementById("txtOldpwd").value = hex_md5(document.getElementById("txtOldpwd").value);  
    5.             document.getElementById("txtOldpwd").value = hex_md5(document.getElementById("txtOldpwd").value + salt);  
    6.         }  
    7.   
    8.         if (document.getElementById("txtNewpwd").value != "") {  
    9.             document.getElementById("txtNewpwd").value = hex_md5(document.getElementById("txtNewpwd").value);  
    10.         }  
    11.     }  
    12. </script> 
    Note: "hex_md5" function exists in the "md5.js" file and here the conversion of the old password into a hash has been done 2 times, first to convert the plain text to a hash then the hashed text into a hash with salt for the matching. Convert the new password into a hash password.

    Code View

Step 5

Add the code on the page load for creating the salt and send it the JavaScript function via the attribute add save button and on the button click event save the data.

  1. Create a method that will get the size of the salt and return a salt after generation via the random number generator cryptography technique.
    1. private string CreateSalt(int size)  
    2. {  
    3.     RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();  
    4.     byte[] buff = new byte[size];  
    5.     rng.GetBytes(buff);  
    6.     return Convert.ToBase64String(buff);  
  2. Get the value in the salt variable and add the JavaScript function with a salt parameter via attribute add of the save button.
    1. protected void Page_Load(object sender, EventArgs e)  
    2. {  
    3.     if (!IsPostBack)  
    4.     {  
    5.         //get the 5 digit salt  
    6.         string salt = CreateSalt(5);  
    7.         //Save the salt in session variable  
    8.         Session["salt"] = salt.ToString();  
    9.         //Add the JS function call to button with a parameter  
    10.         btn_login.Attributes.Add("onclick""return ChangePwd ('" + salt.ToString() + "');");   
    11.     }  
  3. Get the hash password from the database, if the user id is valid. Then hash it again with an already generated salt and match it with the filled in old password by the user to check the authenticity of the user on the login button click event and if the old password matched then update the new password.
    1. protected void btn_Save_Click(object sender, EventArgs e)  
    2. {  
    3.     if (txtUserID.Text != "" && txtOldpwd.Text != "")  
    4.     {  
    5.         object pwd;  
    6.         using (SqlConnection connection = new SqlConnection())//Get the password from the database  
    7.         {  
    8.             connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();  
    9.             connection.Open();  
    10.             SqlCommand cmd = new SqlCommand();  
    11.             cmd.Connection = connection;  
    12.             string commandText = "Select pwd from LoginTable where UserID='" + txtUserID.Text + "'";  
    13.             cmd.CommandText = commandText;  
    14.             cmd.CommandType = CommandType.Text;  
    15.             pwd = cmd.ExecuteScalar();  
    16.             cmd.Dispose();  
    17.             connection.Close();  
    18.   
    19.             // create the hash of the correct password with salt  
    20.             string hashed_pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(pwd.ToString().ToLower() + Session["salt"].ToString(), "md5");  
    21.   
    22.             // macth the both passwords  
    23.             if (hashed_pwd.ToLower().Equals(txtOldpwd.Text))  
    24.             {  
    25.                 // Update the new password  
    26.                 connection.Open();  
    27.                 commandText = "update LoginTable set pwd='" + txtNewpwd.Text + "' where UserID='" + txtUserID.Text + "'";  
    28.                 cmd.CommandText = commandText;  
    29.                 cmd.CommandType = CommandType.Text;  
    30.                 cmd.ExecuteNonQuery();  
    31.                 cmd.Dispose();  
    32.                 connection.Close();  
    33.                 Response.Write(" Password has been changed ");  
    34.             }  
    35.             else  
    36.             { Response.Write("Invalid User"); return; }  
    37.         }  
    38.     }  

    WebForm Code View

At Run Time: After running the page, update the new password after authenticating the user and old password.

Type the valid user id and password.

Calling Web Form

Note: Here the valid User ID is "Admin", the old password is "abcd1234" and the new password is "test1234".

After updating the new password, see the response.

Web Form

Result: And the password has been updated in the database.

Select View


Similar Articles