I’ve been debugging this code for hours, I think I would benefit from someone else taking a look at the problem. I’m writing a login system for my software in C# .net. I am encoding the passwords in SHA512. I am using the hashing algorithm written by Rush Frisby.

Additionally, I am using a salt and pepper on the users password.

// Form1.cs (inside button1_Click)

        // IsConnected is a variable which holds the state of the connection
        // to the server
        if (IsConnected == true)
        {
            UsernameField = textBox1.Text;                  // Fetch the username
            PasswordField = textBox2.Text;                  // Fetch the password

            // The per-user salt is stored in the DB, go get it:
            Salt = MH.GetUserSalt(UsernameField);           // Get the salt for the user

            // Encrypt the salt, pepper and secret keys in SHA512
            Salt = HH.SHA512(Salt);                 // The salt is stored in the DB
            Pepper = HH.SHA512(Pepper);             // The salt is a private field in the current class
            SecretKey = HH.SHA512(Salt + Pepper);   // The secret key = SHA512(Salt + Pepper)

            // Now, with the secret key let's add that to the password after it's encrypted
            PasswordField = SecretKey + (HH.SHA512(PasswordField));     // The password is now secret key + SHA512(password)

            // I am expecting 1 row back from the database:
            success = MH.CheckUser(UsernameField, PasswordField);       // success (bool): Did CheckUser return 1 row?

[SPACER]

// MySQLHelper.cs
    public bool CheckUser(string username, string password)
    {
        if (IsConnected != true)
        {
            LastError = "Not connected!";
            return false;
        }

        cmd = connection.CreateCommand();
        cmd.CommandText = "SELECT * FROM credentials WHERE Username = '" + username + "' AND Password = '" + password + "'";

        rdr = cmd.ExecuteReader();

        rows = 0;
        while (rdr.Read())
        {
            rows++;
        }

        // Gracefully release resources (rdr)
        ReleaseResources();

        if (rows == 1)
            return true;
        else
            return false;
    }

This always works on the first attempt to login (granted I provide legitimate credentials), however if I fail the first attempt, the second attempt (and any corresponding attempts) will always return 0 (rows), even if the credentials are good (which should return 1 row). If I close out the application and reopen it, the same thing happens. I’m able to login, but I must provide good credentials on the first attempt or else the rest won’t work.

As I have mentioned, I have isolated the issue down to the password fields not matching. This is the stage in which the secret key is added to the sha512 encoded user password. Let me give you an example:

Valid (on first attempt):
“B045B1FA1FCD4450D34EEEF17414E334B9E928EDB076E3D3D1EE8AF4EF25FD4076B6B228EA4AC53136FDF2BFF3FF780096EA5A63851EADB6133EB537C61CA23ECBE0CD68CBCA3868250C0BA545C48032F43EB0E8A5E6BAB603D109251486F77A91E46A3146D887E37416C6BDB6CBE701BD514DE778573C9B0068483C1C626AEC”

Valid (on second attempt, but remember it fails):
“B1316286A4628120FF77A53CE11CE0B16DF49358858729E3D01B25CDAFB5194112C982B11AC08424C6637F8F445D2D7A76A41B4857B43D60A54BD9E67FC14F20CBE0CD68CBCA3868250C0BA545C48032F43EB0E8A5E6BAB603D109251486F77A91E46A3146D887E37416C6BDB6CBE701BD514DE778573C9B0068483C1C626AEC”

As you can see, for some reason the password is being altered. Do you know what it could be? I appreciate all the help!

C#
Windows 7 x64
Visual Studio 11
MySQL Connector Net 6.5.4

If there is any additional information I can provide you with that I have accidently withheld, please tell me.