Replace the null with a zero and filter them out in your query. Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP

Quote: private bool MatchPasswordHash(string passwordText, byte[] password, byte[] passwordKey) { using (var hmac = new HMACSHA512(passwordKey)) { var passwordHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(passwordText)); for (int i = 0; i < passwordHash.Length; i++) { if (passwordHash[i] != password[i]) { return false; } } return true; } } Not an answer to your question, but that code is potentially vulnerable to a timing attack[^]. Although the salt may render it harder for an attacker to exploit, it would be better to avoid the early return - you always want this function to compare the full length of the arrays, not just the first n bytes. bool areEqual = true; for (int i = 0; i < passwordHash.Length; i++) { if (passwordHash[i] != password[i]) { areEqual = false; } } return areEqual; "These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer

By the look of the code that was written for Python version 2.x, and to run under Linux, not Windows. But using such a tool will most likely get you in trouble.

Thanks. Solved.

Almost certainly. But only you can answer that - we don't have access to your server or your code. Most APIs implement some form of rate limiting - if a single API key issues too many requests within a given window, the API responds with a 429 status code, and sets a header telling the caller how long they need to wait before trying again. This won't prevent malicious or misconfigured clients from trying to overwhelm your service, but it should reduce the amount of strain they're able to put on your server. If you're really worried, then you'll need to sign up for a DDoS protection service. "These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer

Alex Wright 2022 wrote: public string Password { get; set; } You appear to be storing your users' passwords in plain text. Don't do that! Secure Password Authentication Explained Simply[^] Salted Password Hashing - Doing it Right[^] ASP.NET already provides a built-in authentication system which does the right thing for you: Introduction to Identity on ASP.NET Core | Microsoft Learn[^] "These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer