validate password in code or stored procedure

Question

I am currently creating a login and registration system with .net/c#. A sql server database holds usernames and passwords (hashed passwords with a salt etc)

When I need to validate the password, what is the current procedure. Is it to take the value the user has inputted hash it with the salt etc, pass it in to a stored procedure and do a comparison there? Or, same steps as above but do a compare of the passwords in C# code?

I would like to make a decision based upon best practice and the most secure method so looking for suggestions on this and items I should consider.

Answer 1

I think this is a six and two threes. The important thing for me is that you're not storing the password, but a hash. That's good design.

The only thing I'd add is just to be consistent. Presumably as well as dealing with logins your hash engine will also come into play when users create accounts or reset passwords. Keep it all in the one black box. In other words, one of the database or the c# should be pretty intelligent, the other pretty dumb.

I suppose you could come at it from reusability....any chance you'll want to re-use the security mechanism either with a different database? or without a layer of componentry above it? That might sway your choice.

The only other thing I can think of is what security you're putting around changing data within the app (i.e. day-to-day business function). Might that aspect influence your decision?