I need to develop in a .NET Application using SQL Server Stored Procedures a validation for passwords.
I've already developed the first validations (uppercase,lowercase,number,etc) but now i need to check that the Passwords must not contain the user's account name or parts of the user's full name that exceed three consecutive characters but i don't know how to do this in SQL (in a stored procedure), maybe with regular expression?
I have searched since this is usually very typical in password validation, but I have not found anything in SQL Server
any ideas about this?
Thanks & Regards!
That is defiantly not the right password protection. First of all sending critical data unencrypted to the server is not a good idea. Your data must me unencrypted on the assumption that you are performing validations on the server rather than the client through stored procedures. Second if you still want that then use regular expressions for validataion. Third you will have to log all the old passwords in the database. then check latest 6 if match then send message else change the password.
Rather what you should do is : To do in .Net code you should hash the password and then fetch the hashed password from the server and compare. Log all the hashed passwords in the database. Fetch last 6 passwords and compare with the hashed password ( of course trying all the salts in old passwords as different salts give different results ) entered. If match warn else store password.