salt and hash password problem

I am creating a one-way hashed password to store in my db. I am using a salt size of 5. When the password is created the salt value is 8 characters. See code below:

Dim saltSize As Integer = 5
Dim salt As String = CreateSalt(saltSize)
Dim passwordHash As String = CreatePasswordHash(trim(txtPassword.Text), trim(salt))

response.write("<br>salt value: " & salt)

Private Shared Function CreateSalt(ByVal size As Integer) As String
      
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
Dim buff(size) As Byte

rng.GetBytes(buff)
Return Convert.ToBase64String(buff)

End Function

Private Shared Function CreatePasswordHash(ByVal pwd As String, ByVal salt As String) As String
      
Dim saltAndPwd As String = String.Concat(pwd, salt)
Dim hashedPwd As String  = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1")
hashedPwd = String.Concat(hashedPwd, salt)

Return hashedPwd

End Function

However, when I try to authenticate a user that is trying to log in I am having a problem:

Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5
Dim salt As String = dbPasswordHash.Substring(dbPasswordHash.Length - saltSize)

Dim pwdHash As String = CreatePasswordHash(txtPassword.Text, salt)
passwordMatch = pwdHash.Equals(dbPasswordHash)

The returned salt value is not of length 5 but it is 8 characters. The authentication thus fails ? can someone help with this query ?
nmretdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mppetersCommented:
You can't get the salt from the already hashed dbPasswordHash, it's already encompassed within the entire dbPasswordHash string.

You have to get the original salt string used to create the password hash.

Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5

' --- This is not correct
Dim salt As String = dbPasswordHash.Substring(dbPasswordHash.Length - saltSize)

Dim pwdHash As String = CreatePasswordHash(txtPassword.Text, salt)
passwordMatch = pwdHash.Equals(dbPasswordHash)
0
nauman_ahmedCommented:
You should also take a look at SHA encryption:

SHA 512 Bit Encryption
http://www.experts-exchange.com/Programming/Programming_Languages/C_Sharp/Q_20984315.html

You can convert this to VB at http://carlosag.net/Tools/CodeTranslator/Default.aspx

Another option is AES Encryption:

Title: VB.NET - how to store and retrieve encrypted passwords from sql server db within ASP.NET app
http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/ASP_DOT_NET/Q_21647755.html

HTH, Nauman.
0
mppetersCommented:
nmretd: There's nothing wrong with your solution, don't bother with the other encryption options mentioned by nauman.
All you have to do is make your createsalt function use a hard-coded string.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

nmretdAuthor Commented:
mppeters

This is what I am trying to do - i.e retrieve the original salt string from the dbPasswordHash because it has been concatenated to this string ?
0
nmretdAuthor Commented:
Can someone help me to adapt my code ?
0
mppetersCommented:
Ohh, I see. You're adding the salt to the end of the hash. That doesn't seem like a good idea to me...
0
nmretdAuthor Commented:
This is the solution from msdn: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp

I have converted the code to vb.net
0
mppetersCommented:
Don't bother with the separate salt function, give this a try.

Private Shared Function CreatePasswordHash(ByVal pwd As String) As String

Dim salt As String = "heresomesaltthatyouhardcode"
Dim hashedPwd As String = ""
Dim hasher As HashAlgorithm = New SHA1Managed
Dim pwdBytes As Byte() = Encoding.UTF8.GetBytes(String.Concat(pwd, salt))
hasher.ComputeHash(pwdBytes, 0, pwdBytes.Length)
Dim pwdHash(hasher.HashSize / 8) As Byte
hasher.Hash.CopyTo(pwdHash, 0)
Return Convert.ToBase64String(pwdHash)

End Function
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nmretdAuthor Commented:
That seems to do the trick.

However, do you think this is a sufficiently secure method or should I also look at alternative hashing methods for storing my passwords ? Plus, what is the best value/size to use for the hardoced salt value ? Should I use letters and numbers mixed with upper and lowercase ? Please advise.

Thanks.
0
mppetersCommented:
I think this is sufficiently secure, I use it myself.

The hardcoded salt value should not be an easy thing to guess (no words or phrases). I would just randomly type some stuff which you can mix with upper/lowercase and numbers and symbols. I'd say 14 characters should be more than enough. SHA is a pretty good hashing algorithm, so you don't need to do much extra effort.
0
nmretdAuthor Commented:
Thanks again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.