BCrypt Hashed Password Truncated in The Database

StackOverflow https://stackoverflow.com/questions/9280916

Question

I'm using .Net implementation of BCrypt for storing passwords in the database. The password column is VARCHAR(MAX)

This is the code that updates the Password via stored procedure: 

Update [User] 
Set [Password]= @NewPassword, 
ModifiedOn = GetDate(),
ModifiedBy = 'PasswordChanger'
Where [UserName] = @UserName

For some users, the password gets truncated. An example after truncation is: $2a$12$XM2

This is not the case always.

Please help me understand what could cause the truncation?

UPDATE:

Here is the C# code that calls the SP to update the password: 

string HashedPassword;
int NumberOfRowsAffected;
try
            {
                Database jss = DatabaseFactory.CreateDatabase();
                HashedPassword = BCrypt.HashPassword(txtPassword.Text, BCrypt.GenerateSalt(12));
                NumberOfRowsAffected = jss.ExecuteNonQuery("procUpdatePassword", GetLogin(HttpContext.Current.User.Identity), HashedPassword);
                if (NumberOfRowsAffected > 0)
                    lblStatus.Text = "Password updated.";
                else
                {
                    lblStatus.Text = "Password not updated for this user.";
                }

            }
            catch (Exception ex)
            {
                lblStatus.Text = "Password was not changed due to an error.";
                lblStatus.Text += ex.ToString();
            }
Was it helpful?

Solution

  1. Please check your input parameter length of the password being used in Stored Procedure...
  2. Please check your Parameter length of the password being used in the C# function before calling making database request...

Finally, both side should be synchronized with the Table schema.

Sample Code...

using (SqlConnection con = new SqlConnection("Your Connection String"))
{
    using (SqlCommand cmd = new SqlCommand("Your Stored Procedure Name", con))
    {
        SqlParameter param = new SqlParameter();
        param.ParameterName = "Parameter Name";
        param.Value = "Value";
        param.SqlDbType = SqlDbType.VarChar;
        param.Direction = ParameterDirection.Input;
        cmd.Parameters.Add(param);
        cmd.ExecuteNonQuery();
    }
}

Note - If not explicitly set, the size is inferred from the actual size of the specified parameter value.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top