Converting VARBINARY back to a string

C

C.

Hey all,

I'm dealing with a legacy ASP app, and I believe to prevent passwords
from being casually observed in the database, the developer converted
the password to VARBINARY:

qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '" &
newPassword & "' ), "

***SNIP****

I now have to ensure those passwords conform to our new security
policy before a migration. How does one convert a VARBINARY type back
to a string in C#?
 
C

C.

Silly me, I figured out that i should simply do a reverse conversion
as I pull the field out. Move along, nothing to see here.
 
J

Jeff Johnson

I'm dealing with a legacy ASP app, and I believe to prevent passwords
from being casually observed in the database, the developer converted
the password to VARBINARY:

qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '" &
newPassword & "' ), "

***SNIP****

I now have to ensure those passwords conform to our new security
policy before a migration. How does one convert a VARBINARY type back
to a string in C#?
Click to expand...

What is the data type of the Password column?
 
P

Patrice

Hello,
qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '" &
newPassword & "' ), "
Click to expand...

Just the other way round...

Try :

DECLARE @t VARCHAR(100)
DECLARE @b VARBINARY(100)
SET @t='Some text...'
SET @b=CONVERT(VARBINARY(100),@t)
SELECT @b,CONVERT(VARCHAR(100),@b)

Are you sure this is how it was done ? If yes it looks quite a naive
protection measure. Someone knownledgable enough to get at the db will
likely have no problem converting back such a value to text...

If you are currently taking additional safety measures you may want to try :
http://anastasiosyal.com/archive/2008/04/23/quick-tip-use-hashbytes-to-create-a-hash-in-tsql.aspx
and make sure to check the comments for a quick yet quite up to the point
overview of password "hashing"...
 
A

Arne Vajhøj

I'm dealing with a legacy ASP app, and I believe to prevent passwords
from being casually observed in the database, the developer converted
the password to VARBINARY:

qry = "UPDATE Users SET Password = CONVERT( VARBINARY, '"&
newPassword& "' ),"

***SNIP****

I now have to ensure those passwords conform to our new security
policy before a migration. How does one convert a VARBINARY type back
to a string in C#?
Click to expand...

1) You should use Parameters and then you can set a byte array.

2) You should preferably not store the password at all but
instead store a hash (like SHA-256) of it - or at least
encrypt it - what you do is nothing.

Arne
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Conversion of .NET DateTime to SQL datetime via VarBinary 1
Converting ascii to string 5
Converting string numbers to numbers 3
incorrect result when converting from basic string to System::String 1
convert string to binary 5
Converting a float to a string 5
How to convert back a string that have converted to byte[] 8
Converting Doubles to Strings 3

Top