nmretd
asked on
salt and hash password problem
I am creating a one-way hashed password to store in my db. I am using a salt size of 5. When the password is created the salt value is 8 characters. See code below:
Dim saltSize As Integer = 5
Dim salt As String = CreateSalt(saltSize)
Dim passwordHash As String = CreatePasswordHash(trim(tx tPassword. Text), trim(salt))
response.write("<br>salt value: " & salt)
Private Shared Function CreateSalt(ByVal size As Integer) As String
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
Dim buff(size) As Byte
rng.GetBytes(buff)
Return Convert.ToBase64String(buf f)
End Function
Private Shared Function CreatePasswordHash(ByVal pwd As String, ByVal salt As String) As String
Dim saltAndPwd As String = String.Concat(pwd, salt)
Dim hashedPwd As String = FormsAuthentication.HashPa sswordForS toringInCo nfigFile(s altAndPwd, "SHA1")
hashedPwd = String.Concat(hashedPwd, salt)
Return hashedPwd
End Function
However, when I try to authenticate a user that is trying to log in I am having a problem:
Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5
Dim salt As String = dbPasswordHash.Substring(d bPasswordH ash.Length - saltSize)
Dim pwdHash As String = CreatePasswordHash(txtPass word.Text, salt)
passwordMatch = pwdHash.Equals(dbPasswordH ash)
The returned salt value is not of length 5 but it is 8 characters. The authentication thus fails ? can someone help with this query ?
Dim saltSize As Integer = 5
Dim salt As String = CreateSalt(saltSize)
Dim passwordHash As String = CreatePasswordHash(trim(tx
response.write("<br>salt value: " & salt)
Private Shared Function CreateSalt(ByVal size As Integer) As String
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
Dim buff(size) As Byte
rng.GetBytes(buff)
Return Convert.ToBase64String(buf
End Function
Private Shared Function CreatePasswordHash(ByVal pwd As String, ByVal salt As String) As String
Dim saltAndPwd As String = String.Concat(pwd, salt)
Dim hashedPwd As String = FormsAuthentication.HashPa
hashedPwd = String.Concat(hashedPwd, salt)
Return hashedPwd
End Function
However, when I try to authenticate a user that is trying to log in I am having a problem:
Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5
Dim salt As String = dbPasswordHash.Substring(d
Dim pwdHash As String = CreatePasswordHash(txtPass
passwordMatch = pwdHash.Equals(dbPasswordH
The returned salt value is not of length 5 but it is 8 characters. The authentication thus fails ? can someone help with this query ?
You should also take a look at SHA encryption:
SHA 512 Bit Encryption
https://www.experts-exchange.com/questions/20984315/SHA-1-512bit-encryption.html
You can convert this to VB at http://carlosag.net/Tools/CodeTranslator/Default.aspx
Another option is AES Encryption:
Title: VB.NET - how to store and retrieve encrypted passwords from sql server db within ASP.NET app
https://www.experts-exchange.com/questions/21647755/VB-NET-how-to-store-and-retrieve-encrypted-passwords-from-sql-server-db-within-ASP-NET-app.html
HTH, Nauman.
SHA 512 Bit Encryption
https://www.experts-exchange.com/questions/20984315/SHA-1-512bit-encryption.html
You can convert this to VB at http://carlosag.net/Tools/CodeTranslator/Default.aspx
Another option is AES Encryption:
Title: VB.NET - how to store and retrieve encrypted passwords from sql server db within ASP.NET app
https://www.experts-exchange.com/questions/21647755/VB-NET-how-to-store-and-retrieve-encrypted-passwords-from-sql-server-db-within-ASP-NET-app.html
HTH, Nauman.
nmretd: There's nothing wrong with your solution, don't bother with the other encryption options mentioned by nauman.
All you have to do is make your createsalt function use a hard-coded string.
All you have to do is make your createsalt function use a hard-coded string.
ASKER
mppeters
This is what I am trying to do - i.e retrieve the original salt string from the dbPasswordHash because it has been concatenated to this string ?
This is what I am trying to do - i.e retrieve the original salt string from the dbPasswordHash because it has been concatenated to this string ?
ASKER
Can someone help me to adapt my code ?
Ohh, I see. You're adding the salt to the end of the hash. That doesn't seem like a good idea to me...
ASKER
This is the solution from msdn: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp
I have converted the code to vb.net
I have converted the code to vb.net
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
That seems to do the trick.
However, do you think this is a sufficiently secure method or should I also look at alternative hashing methods for storing my passwords ? Plus, what is the best value/size to use for the hardoced salt value ? Should I use letters and numbers mixed with upper and lowercase ? Please advise.
Thanks.
However, do you think this is a sufficiently secure method or should I also look at alternative hashing methods for storing my passwords ? Plus, what is the best value/size to use for the hardoced salt value ? Should I use letters and numbers mixed with upper and lowercase ? Please advise.
Thanks.
I think this is sufficiently secure, I use it myself.
The hardcoded salt value should not be an easy thing to guess (no words or phrases). I would just randomly type some stuff which you can mix with upper/lowercase and numbers and symbols. I'd say 14 characters should be more than enough. SHA is a pretty good hashing algorithm, so you don't need to do much extra effort.
The hardcoded salt value should not be an easy thing to guess (no words or phrases). I would just randomly type some stuff which you can mix with upper/lowercase and numbers and symbols. I'd say 14 characters should be more than enough. SHA is a pretty good hashing algorithm, so you don't need to do much extra effort.
ASKER
Thanks again.
You have to get the original salt string used to create the password hash.
Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5
' --- This is not correct
Dim salt As String = dbPasswordHash.Substring(d
Dim pwdHash As String = CreatePasswordHash(txtPass
passwordMatch = pwdHash.Equals(dbPasswordH