Hashing password to SqlServer

Hashing password to SqlServer

I've been reading over and over the code again to see where the error is
being made but I'm unable to find it. I've copied this code from
stackoverflow an never really checked it or understood it perfectly as to
fix it. I'm receiving passwords from a webservice, hashing, salting and
saving it to a SqlServer 2008. The variables on the SqlServer are declared
as mail as nvarchar(64), hash as varbinary(128) and salt as
varbinary(128). The passwords are being saved but when I try to check if
the password are correct the method always returns false. This are my
methods.
public int InsertData(string mail,string Password)
{
int lineas;
UserData usuario = HashPassword(Password);
using (SqlConnection connection = new SqlConnection(Connection))
using (SqlCommand command = connection.CreateCommand())
{
command.CommandText = "INSERT INTO Usuarios (Mail,Hash,Salt)
VALUES (@mail,@hash,@salt)";
command.Parameters.AddWithValue("@mail", mail);
command.Parameters.AddWithValue("@hash", usuario.Password);
command.Parameters.AddWithValue("@salt", usuario.salt);
connection.Open();
lineas=command.ExecuteNonQuery();
}
usuario = null;
return lineas;
}
private UserData HashPassword(string Password)
{
//This method hashes the user password and saves it into the
object UserData
using (var deriveBytes = new Rfc2898DeriveBytes(Password, 20))
{
byte[] salt = deriveBytes.Salt;
byte[] key = deriveBytes.GetBytes(20); // derive a 20-byte key
UserData usuario = new UserData();
usuario.Password = key;
usuario.salt = salt;
return usuario;
}
}
And the next method is the one I use to validate de password, it always
returns false
private bool CheckPassword(string Password, byte[] hash, byte[] salt)
{
// load salt and key from database
using (var deriveBytes = new Rfc2898DeriveBytes(Password, salt))
{
byte[] newKey = deriveBytes.GetBytes(20); // derive a 20-byte
key
if (!newKey.SequenceEqual(hash))
return false;
else
return true;
}
}
This method receives the login info
public bool ValidateLogIn(string mail, string Password)
{
using (SqlConnection connection = new SqlConnection(Connection))
using (SqlCommand command = connection.CreateCommand())
{
command.CommandText = "Select * from Usuarios where Mail=@mail";
command.Parameters.AddWithValue("@mail",mail);
connection.Open();
using (SqlDataReader reader = command.ExecuteReader())
{
reader.Read();
byte[] hash = (byte[])reader["Hash"];
byte[] salt = (byte[])reader["Salt"];
if(CheckPassword(Password,hash,salt))
{
/
UpdateData(mail, Password);
return true;
}
else
{
return false;
}
}
}
}
Any ideas what could be wrong?