Home/ Questions/Q 6957613
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T15:01:38+00:00

I am modifying an application that uses the PWDEncrypt and PWDCompare functions of SQL

  • 0

I am modifying an application that uses the PWDEncrypt and PWDCompare functions of SQL Server to store hashed passwords into a varbinary column of a table.

As these functions should not be used (due to possible changes in the algorithm or they become deprecated in the future) I would like to convert the application to use the supported HASHBYTES function instead.

Does anyone have the code to implement the same functionality as PWDENCRYPT/PWDCOMPARE using the HASHBYTES functionality so that I do not have to get every user to change their password during the change over and the existing hashed passwords remain valid?

I am using SQL Server 2008 R2.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have managed to produce my own implementation of PWDENCRYPT and PWDCOMPARE using just SQL.

    Unfortunately, due to the use of RAND() in the PWDENCRYPT section you cannot convert this to a UDF.

    This is the code that performs the PWDEncrypt

    DECLARE @passwordToEncrypt NVARCHAR(MAX)
SET @passwordToEncrypt = 'Password'

DECLARE @salt VARBINARY(4)
SET @salt = CONVERT(VARBINARY(4), RAND())

DECLARE @encryptedPassword VARBINARY(128)

SET
    @encryptedPassword
    =
    0x0100
    +
    --Salt
    @salt
    +
    --Hash of Password + Salt
    HASHBYTES('SHA1', @passwordToEncrypt + CONVERT(NVARCHAR(MAX), @salt))

SELECT
    @passwordToEncrypt [OriginalPassword],
    @encryptedPassword [MyPWDEncrypt],
    PWDCOMPARE(@passwordToEncrypt, @encryptedPassword) [SQLPWDCompare]

    This is the code that performs the PWDCompare

    DECLARE @passwordToTest NVARCHAR(MAX)
SET @passwordToTest = 'Password'

DECLARE @encryptedPassword VARBINARY(128)
SET @encryptedPassword = PWDENCRYPT(@passwordToTest)

SELECT
    @passwordToTest [OriginalPassword],
    @encryptedPassword [SQLPWDEncrypt],
    CASE WHEN
        @encryptedPassword
        =
        --Header
        0x0100
        +
        --Salt
        CONVERT(VARBINARY(4), SUBSTRING(CONVERT(NVARCHAR(MAX), @encryptedPassword), 2, 2))
        +
        --Hash of Password + Salt
        HASHBYTES('SHA1', @passwordToTest + SUBSTRING(CONVERT(NVARCHAR(MAX), @encryptedPassword), 2, 2))
    THEN 1 ELSE 0 END [MyPWDCompare]
    • 0