ASP.NET Salting and Hash Password

Hello,

I'm looking to see if someone in EE could help me create a small Salt and Hash function so that when a user creates a password it is hashed in the DB. Note, I'm using ASP.NET 3.5 VB and i'm using my own DB store and not the ASP.NET Membership and Role Provider. This application is very small and i would like a way to just hash the password and a way to check against it when a user tries to login.

Username: txtUsername
Password: txtPassword

Button Click: btnCreateUser - this event would create the user in the DB along with there Hashed password.


Thanks in Advance!!!
Button Click: btnLogin - this event would check to see that the Salted password is correct
LVL 4
asp_net2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jbeasle3Commented:
See the attached code for creating the hashed password.  Then after the user keys in the password, hash it, concatenate the salt to the hashed password and compare it to the stored hashed password & salt.  For the code to work, you must import System.Web.Security and System.Security.Crytography into your code file.

The CreateSalt function generates a random number of digits and returns the base 64 string for the number of digits requested (specified by intSize).

The CreatePasswordHash function takes the password keyed by the user and the generated salt, concatenates them together, encrypts it and returns the encrypted value.

You must remember to store the salt as well as the encrypted password in your database.  You must concatenate the salt each time you compare passwords.
    Public Function gfCreatePasswordHash(ByVal vstrPwd As String, ByVal vstrSalt As String) As String
        Dim strSaltAndPwd As String = String.Concat(vstrPwd, vstrSalt)
        Dim strHashedPwd As String = FormsAuthentication.HashPasswordForStoringInConfigFile(strSaltAndPwd, "SHA1")
        Return strHashedPwd
    End Function
 
    Public Function gfCreateSalt(ByVal intSize As Integer) As String
        ' Generate a cryptographic random number using the cryptographic
        ' service provider
        Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
        Dim buff() As Byte = New Byte(intSize) {}
        rng.GetBytes(buff)
        ' Return a Base64 string representation of the random number
        Return Convert.ToBase64String(buff)
    End Function

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asp_net2Author Commented:
Hi jbeasle3,

I added the following information below to my button click event and was wondering how to implement the functions you created to my click event.

Do i have to include the functions in a page_load? Or just add the functions somehow to my click event which i'm not sure how to.


Protected Sub btnAddUser_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUser.Click
        If Page.IsValid Then

            Dim conn As SqlConnection
            Dim Insertcomm As SqlCommand

            Dim connectionString As String = ConfigurationManager.ConnectionStrings("DemoSql").ConnectionString

            conn = New SqlConnection(connectionString)

            Insertcomm = New SqlCommand("SaltInsert", conn)
            Insertcomm.CommandType = CommandType.StoredProcedure

            Insertcomm.Parameters.Add("@username", System.Data.SqlDbType.VarChar, 50)
            Insertcomm.Parameters("@username").Value = txtUsername.Text

            Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash()

            Insertcomm.Parameters.Add("@passwordsalt", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordsalt").Value = gfCreateSalt()

            Try
                conn.Open()

                Insertcomm.ExecuteNonQuery()

            Catch ex As Exception
                ex.Message.ToString()

            Finally
                conn.Close()
            End Try
        End If

    End Sub
0
jbeasle3Commented:
You were almost there.   The salt has to be created first.  Here's how I would do it:

dim strSalt as string

strSalt = gfCreateSalt(5)   'This creates a 5-digit salt
Insertcomm.Parameters.Add("@passwordsalt", System.Data.SqlDbType.VarChar, 128)
Insertcomm.Parameters("@passwordsalt").Value = strSalt

Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash(strUserPswd, strSalt)  'strSalt was created above and strUserPswd is what the user keyed in

You can put the functions in any module where this code page can see them.  I tend to put them in a common module so any page that needs to can call them.



0
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

asp_net2Author Commented:
Hi jbeasle3,

Ok, ran into a little problem. After i implement the code you supplied in the last post i'm getting an error message below which i think has to do with passing the name of my Password TextBox inside as a parameter but i could be wrong.

ERROR MESSAGE:

Name 'strUserPswd' is not declared on the following code snippet below.

Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash(strUserPswd, strSalt)
 'strSalt was created above and strUserPswd is what the user keyed in

The name of my Password TextBox is "txtPassword".

I'm going to post all the code that i currently have thanks to your help just so you can see where i'm at and maybe it was a small mistake on my end.


CODE:

Public Function gfCreatePasswordHash(ByVal vstrPwd As String, ByVal vstrSalt As String) As String
        Dim strSaltAndPwd As String = String.Concat(vstrPwd, vstrSalt)
        Dim strHashedPwd As String = FormsAuthentication.HashPasswordForStoringInConfigFile(strSaltAndPwd, "SHA1")
        Return strHashedPwd
    End Function

    Public Function gfCreateSalt(ByVal intSize As Integer) As String
        ' Generate a cryptographic random number using the cryptographic
        ' service provider
        Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
        Dim buff() As Byte = New Byte(intSize) {}
        rng.GetBytes(buff)
        ' Return a Base64 string representation of the random number
        Return Convert.ToBase64String(buff)
    End Function

    Protected Sub btnAddUser_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUser.Click
        If Page.IsValid Then

            Dim strSalt As String

            Dim conn As SqlConnection
            Dim Insertcomm As SqlCommand

            Dim connectionString As String = ConfigurationManager.ConnectionStrings("DemoSql").ConnectionString

            conn = New SqlConnection(connectionString)

            Insertcomm = New SqlCommand("SaltInsert", conn)
            Insertcomm.CommandType = CommandType.StoredProcedure

            Insertcomm.Parameters.Add("@username", System.Data.SqlDbType.VarChar, 50)
            Insertcomm.Parameters("@username").Value = txtUsername.Text

            Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash(strUserPswd, strSalt)
            'strSalt was created above and strUserPswd is what the user keyed in

            strSalt = gfCreateSalt(5)   'This creates a 5-digit salt
            Insertcomm.Parameters.Add("@passwordsalt", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordsalt").Value = strSalt

            Try
                conn.Open()

                Insertcomm.ExecuteNonQuery()

            Catch ex As Exception
                ex.Message.ToString()

            Finally
                conn.Close()
            End Try
        End If

    End Sub
0
jbeasle3Commented:
ok...Just substitute txtPassword.Text for strUserPswd.  Also, it's VERY IMPORTANT that you do the salt routine BEFORE the password hash because the password routine uses it.
0
asp_net2Author Commented:
Hi jbeasle3,

That worked out as needed. Now if i wanted to increase the Salt size would i just change the integer in strSalt = gfCreateSalt(5) only?

Also, now i need for a way to login in with the credentials that i created. I can give you my custom login that i created, would you be willing to help me with the login event if i supplied you the code that i have now?

If so, then i will create another post different from this one and supply the link to you so that i can award you 500 points for each post.

Let me know,

0
asp_net2Author Commented:
Hi jbeasle3,

Are you stil able to help with post 24735608? Before i close the ticket i wanted to know if you could help me with authenticating against the password hash and salt in another post. I haven't created the post yet because i would like to award you with the points. Please let me konw so that i can assign points for you on this topic before opening another post about this.

Thanks in advance!!
0
jbeasle3Commented:
I would be happy to do that.
0
asp_net2Author Commented:
Hi jbeasle3,

Thanks, i really appreciate it, the following link is below for the new post. Once i know that you received it then i will close this post. Thanks again very much!!

http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_24532865.html
0
asp_net2Author Commented:
thanks for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.