salt and hash password problem

I am creating a one-way hashed password to store in my db. I am using a salt size of 5. When the password is created the salt value is 8 characters. See code below:

Dim saltSize As Integer = 5
Dim salt As String = CreateSalt(saltSize)
Dim passwordHash As String = CreatePasswordHash(trim(txtPassword.Text), trim(salt))

response.write("<br>salt value: " & salt)

Private Shared Function CreateSalt(ByVal size As Integer) As String
      
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
Dim buff(size) As Byte

rng.GetBytes(buff)
Return Convert.ToBase64String(buff)

End Function

Private Shared Function CreatePasswordHash(ByVal pwd As String, ByVal salt As String) As String
      
Dim saltAndPwd As String = String.Concat(pwd, salt)
Dim hashedPwd As String  = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1")
hashedPwd = String.Concat(hashedPwd, salt)

Return hashedPwd

End Function

However, when I try to authenticate a user that is trying to log in I am having a problem:

Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5
Dim salt As String = dbPasswordHash.Substring(dbPasswordHash.Length - saltSize)

Dim pwdHash As String = CreatePasswordHash(txtPassword.Text, salt)
passwordMatch = pwdHash.Equals(dbPasswordHash)

The returned salt value is not of length 5 but it is 8 characters. The authentication thus fails ? can someone help with this query ?
nmretdAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
mppetersConnect With a Mentor Commented:
Don't bother with the separate salt function, give this a try.

Private Shared Function CreatePasswordHash(ByVal pwd As String) As String

Dim salt As String = "heresomesaltthatyouhardcode"
Dim hashedPwd As String = ""
Dim hasher As HashAlgorithm = New SHA1Managed
Dim pwdBytes As Byte() = Encoding.UTF8.GetBytes(String.Concat(pwd, salt))
hasher.ComputeHash(pwdBytes, 0, pwdBytes.Length)
Dim pwdHash(hasher.HashSize / 8) As Byte
hasher.Hash.CopyTo(pwdHash, 0)
Return Convert.ToBase64String(pwdHash)

End Function
0
 
mppetersCommented:
You can't get the salt from the already hashed dbPasswordHash, it's already encompassed within the entire dbPasswordHash string.

You have to get the original salt string used to create the password hash.

Dim dbPasswordHash As String = reader.GetString(0)
Dim saltSize As Integer = 5

' --- This is not correct
Dim salt As String = dbPasswordHash.Substring(dbPasswordHash.Length - saltSize)

Dim pwdHash As String = CreatePasswordHash(txtPassword.Text, salt)
passwordMatch = pwdHash.Equals(dbPasswordHash)
0
 
nauman_ahmedCommented:
You should also take a look at SHA encryption:

SHA 512 Bit Encryption
http://www.experts-exchange.com/Programming/Programming_Languages/C_Sharp/Q_20984315.html

You can convert this to VB at http://carlosag.net/Tools/CodeTranslator/Default.aspx

Another option is AES Encryption:

Title: VB.NET - how to store and retrieve encrypted passwords from sql server db within ASP.NET app
http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/ASP_DOT_NET/Q_21647755.html

HTH, Nauman.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
mppetersCommented:
nmretd: There's nothing wrong with your solution, don't bother with the other encryption options mentioned by nauman.
All you have to do is make your createsalt function use a hard-coded string.
0
 
nmretdAuthor Commented:
mppeters

This is what I am trying to do - i.e retrieve the original salt string from the dbPasswordHash because it has been concatenated to this string ?
0
 
nmretdAuthor Commented:
Can someone help me to adapt my code ?
0
 
mppetersCommented:
Ohh, I see. You're adding the salt to the end of the hash. That doesn't seem like a good idea to me...
0
 
nmretdAuthor Commented:
This is the solution from msdn: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp

I have converted the code to vb.net
0
 
nmretdAuthor Commented:
That seems to do the trick.

However, do you think this is a sufficiently secure method or should I also look at alternative hashing methods for storing my passwords ? Plus, what is the best value/size to use for the hardoced salt value ? Should I use letters and numbers mixed with upper and lowercase ? Please advise.

Thanks.
0
 
mppetersCommented:
I think this is sufficiently secure, I use it myself.

The hardcoded salt value should not be an easy thing to guess (no words or phrases). I would just randomly type some stuff which you can mix with upper/lowercase and numbers and symbols. I'd say 14 characters should be more than enough. SHA is a pretty good hashing algorithm, so you don't need to do much extra effort.
0
 
nmretdAuthor Commented:
Thanks again.
0
All Courses

From novice to tech pro — start learning today.