Link to home
Create AccountLog in
Avatar of nmretd
nmretd

asked on

salt and hash password problem

I am creating a one-way hashed password to store in my db. I am using a salt size of 5. When the password is created the salt value is 8 characters. See code below:

Dim saltSize As Integer = 5
Dim salt As String = CreateSalt(saltSize)
Dim passwordHash As String = CreatePasswordHash(trim(txtPassword.Text), trim(salt))

response.write("<br>salt value: " & salt)

Private Shared Function CreateSalt(ByVal size As Integer) As String
      
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
Dim buff(size) As Byte

rng.GetBytes(buff)
Return Convert.ToBase64String(buff)

End Function

Private Shared Function CreatePasswordHash(ByVal pwd As String, ByVal salt As String) As String
      
Dim saltAndPwd As String = String.Concat(pwd, salt)
Dim hashedPwd As String  = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1")
hashedPwd = String.Concat(hashedPwd, salt)

Return hashedPwd

End Function

However, when I try to authenticate a user that is trying to log in I am having a problem:

Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5
Dim salt As String = dbPasswordHash.Substring(dbPasswordHash.Length - saltSize)

Dim pwdHash As String = CreatePasswordHash(txtPassword.Text, salt)
passwordMatch = pwdHash.Equals(dbPasswordHash)

The returned salt value is not of length 5 but it is 8 characters. The authentication thus fails ? can someone help with this query ?
Avatar of mppeters
mppeters

You can't get the salt from the already hashed dbPasswordHash, it's already encompassed within the entire dbPasswordHash string.

You have to get the original salt string used to create the password hash.

Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5

' --- This is not correct
Dim salt As String = dbPasswordHash.Substring(dbPasswordHash.Length - saltSize)

Dim pwdHash As String = CreatePasswordHash(txtPassword.Text, salt)
passwordMatch = pwdHash.Equals(dbPasswordHash)
You should also take a look at SHA encryption:

SHA 512 Bit Encryption
https://www.experts-exchange.com/questions/20984315/SHA-1-512bit-encryption.html

You can convert this to VB at http://carlosag.net/Tools/CodeTranslator/Default.aspx

Another option is AES Encryption:

Title: VB.NET - how to store and retrieve encrypted passwords from sql server db within ASP.NET app
https://www.experts-exchange.com/questions/21647755/VB-NET-how-to-store-and-retrieve-encrypted-passwords-from-sql-server-db-within-ASP-NET-app.html

HTH, Nauman.
nmretd: There's nothing wrong with your solution, don't bother with the other encryption options mentioned by nauman.
All you have to do is make your createsalt function use a hard-coded string.
Avatar of nmretd

ASKER

mppeters

This is what I am trying to do - i.e retrieve the original salt string from the dbPasswordHash because it has been concatenated to this string ?
Avatar of nmretd

ASKER

Can someone help me to adapt my code ?
Ohh, I see. You're adding the salt to the end of the hash. That doesn't seem like a good idea to me...
Avatar of nmretd

ASKER

This is the solution from msdn: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp

I have converted the code to vb.net
ASKER CERTIFIED SOLUTION
Avatar of mppeters
mppeters

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of nmretd

ASKER

That seems to do the trick.

However, do you think this is a sufficiently secure method or should I also look at alternative hashing methods for storing my passwords ? Plus, what is the best value/size to use for the hardoced salt value ? Should I use letters and numbers mixed with upper and lowercase ? Please advise.

Thanks.
I think this is sufficiently secure, I use it myself.

The hardcoded salt value should not be an easy thing to guess (no words or phrases). I would just randomly type some stuff which you can mix with upper/lowercase and numbers and symbols. I'd say 14 characters should be more than enough. SHA is a pretty good hashing algorithm, so you don't need to do much extra effort.
Avatar of nmretd

ASKER

Thanks again.