Brian
asked on
ASP.NET Salting and Hash Password
Hello,
I'm looking to see if someone in EE could help me create a small Salt and Hash function so that when a user creates a password it is hashed in the DB. Note, I'm using ASP.NET 3.5 VB and i'm using my own DB store and not the ASP.NET Membership and Role Provider. This application is very small and i would like a way to just hash the password and a way to check against it when a user tries to login.
Username: txtUsername
Password: txtPassword
Button Click: btnCreateUser - this event would create the user in the DB along with there Hashed password.
Thanks in Advance!!!
Button Click: btnLogin - this event would check to see that the Salted password is correct
I'm looking to see if someone in EE could help me create a small Salt and Hash function so that when a user creates a password it is hashed in the DB. Note, I'm using ASP.NET 3.5 VB and i'm using my own DB store and not the ASP.NET Membership and Role Provider. This application is very small and i would like a way to just hash the password and a way to check against it when a user tries to login.
Username: txtUsername
Password: txtPassword
Button Click: btnCreateUser - this event would create the user in the DB along with there Hashed password.
Thanks in Advance!!!
Button Click: btnLogin - this event would check to see that the Salted password is correct
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You were almost there. The salt has to be created first. Here's how I would do it:
dim strSalt as string
strSalt = gfCreateSalt(5) 'This creates a 5-digit salt
Insertcomm.Parameters.Add( "@password salt", System.Data.SqlDbType.VarC har, 128)
Insertcomm.Parameters("@pa sswordsalt ").Value = strSalt
Insertcomm.Parameters.Add( "@password hash", System.Data.SqlDbType.VarC har, 128)
Insertcomm.Parameters("@pa sswordhash ").Value = gfCreatePasswordHash(strUs erPswd, strSalt) 'strSalt was created above and strUserPswd is what the user keyed in
You can put the functions in any module where this code page can see them. I tend to put them in a common module so any page that needs to can call them.
dim strSalt as string
strSalt = gfCreateSalt(5) 'This creates a 5-digit salt
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@pa
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@pa
You can put the functions in any module where this code page can see them. I tend to put them in a common module so any page that needs to can call them.
ASKER
Hi jbeasle3,
Ok, ran into a little problem. After i implement the code you supplied in the last post i'm getting an error message below which i think has to do with passing the name of my Password TextBox inside as a parameter but i could be wrong.
ERROR MESSAGE:
Name 'strUserPswd' is not declared on the following code snippet below.
Insertcomm.Parameters.Add( "@password hash", System.Data.SqlDbType.VarC har, 128)
Insertcomm.Parameters("@pa sswordhash ").Value = gfCreatePasswordHash(strUs erPswd, strSalt)
'strSalt was created above and strUserPswd is what the user keyed in
The name of my Password TextBox is "txtPassword".
I'm going to post all the code that i currently have thanks to your help just so you can see where i'm at and maybe it was a small mistake on my end.
CODE:
Public Function gfCreatePasswordHash(ByVal vstrPwd As String, ByVal vstrSalt As String) As String
Dim strSaltAndPwd As String = String.Concat(vstrPwd, vstrSalt)
Dim strHashedPwd As String = FormsAuthentication.HashPa sswordForS toringInCo nfigFile(s trSaltAndP wd, "SHA1")
Return strHashedPwd
End Function
Public Function gfCreateSalt(ByVal intSize As Integer) As String
' Generate a cryptographic random number using the cryptographic
' service provider
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
Dim buff() As Byte = New Byte(intSize) {}
rng.GetBytes(buff)
' Return a Base64 string representation of the random number
Return Convert.ToBase64String(buf f)
End Function
Protected Sub btnAddUser_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUser.Click
If Page.IsValid Then
Dim strSalt As String
Dim conn As SqlConnection
Dim Insertcomm As SqlCommand
Dim connectionString As String = ConfigurationManager.Conne ctionStrin gs("DemoSq l").Connec tionString
conn = New SqlConnection(connectionSt ring)
Insertcomm = New SqlCommand("SaltInsert", conn)
Insertcomm.CommandType = CommandType.StoredProcedur e
Insertcomm.Parameters.Add( "@username ", System.Data.SqlDbType.VarC har, 50)
Insertcomm.Parameters("@us ername").V alue = txtUsername.Text
Insertcomm.Parameters.Add( "@password hash", System.Data.SqlDbType.VarC har, 128)
Insertcomm.Parameters("@pa sswordhash ").Value = gfCreatePasswordHash(strUs erPswd, strSalt)
'strSalt was created above and strUserPswd is what the user keyed in
strSalt = gfCreateSalt(5) 'This creates a 5-digit salt
Insertcomm.Parameters.Add( "@password salt", System.Data.SqlDbType.VarC har, 128)
Insertcomm.Parameters("@pa sswordsalt ").Value = strSalt
Try
conn.Open()
Insertcomm.ExecuteNonQuery ()
Catch ex As Exception
ex.Message.ToString()
Finally
conn.Close()
End Try
End If
End Sub
Ok, ran into a little problem. After i implement the code you supplied in the last post i'm getting an error message below which i think has to do with passing the name of my Password TextBox inside as a parameter but i could be wrong.
ERROR MESSAGE:
Name 'strUserPswd' is not declared on the following code snippet below.
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@pa
'strSalt was created above and strUserPswd is what the user keyed in
The name of my Password TextBox is "txtPassword".
I'm going to post all the code that i currently have thanks to your help just so you can see where i'm at and maybe it was a small mistake on my end.
CODE:
Public Function gfCreatePasswordHash(ByVal
Dim strSaltAndPwd As String = String.Concat(vstrPwd, vstrSalt)
Dim strHashedPwd As String = FormsAuthentication.HashPa
Return strHashedPwd
End Function
Public Function gfCreateSalt(ByVal intSize As Integer) As String
' Generate a cryptographic random number using the cryptographic
' service provider
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
Dim buff() As Byte = New Byte(intSize) {}
rng.GetBytes(buff)
' Return a Base64 string representation of the random number
Return Convert.ToBase64String(buf
End Function
Protected Sub btnAddUser_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUser.Click
If Page.IsValid Then
Dim strSalt As String
Dim conn As SqlConnection
Dim Insertcomm As SqlCommand
Dim connectionString As String = ConfigurationManager.Conne
conn = New SqlConnection(connectionSt
Insertcomm = New SqlCommand("SaltInsert", conn)
Insertcomm.CommandType = CommandType.StoredProcedur
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@us
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@pa
'strSalt was created above and strUserPswd is what the user keyed in
strSalt = gfCreateSalt(5) 'This creates a 5-digit salt
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@pa
Try
conn.Open()
Insertcomm.ExecuteNonQuery
Catch ex As Exception
ex.Message.ToString()
Finally
conn.Close()
End Try
End If
End Sub
ok...Just substitute txtPassword.Text for strUserPswd. Also, it's VERY IMPORTANT that you do the salt routine BEFORE the password hash because the password routine uses it.
ASKER
Hi jbeasle3,
That worked out as needed. Now if i wanted to increase the Salt size would i just change the integer in strSalt = gfCreateSalt(5) only?
Also, now i need for a way to login in with the credentials that i created. I can give you my custom login that i created, would you be willing to help me with the login event if i supplied you the code that i have now?
If so, then i will create another post different from this one and supply the link to you so that i can award you 500 points for each post.
Let me know,
That worked out as needed. Now if i wanted to increase the Salt size would i just change the integer in strSalt = gfCreateSalt(5) only?
Also, now i need for a way to login in with the credentials that i created. I can give you my custom login that i created, would you be willing to help me with the login event if i supplied you the code that i have now?
If so, then i will create another post different from this one and supply the link to you so that i can award you 500 points for each post.
Let me know,
ASKER
Hi jbeasle3,
Are you stil able to help with post 24735608? Before i close the ticket i wanted to know if you could help me with authenticating against the password hash and salt in another post. I haven't created the post yet because i would like to award you with the points. Please let me konw so that i can assign points for you on this topic before opening another post about this.
Thanks in advance!!
Are you stil able to help with post 24735608? Before i close the ticket i wanted to know if you could help me with authenticating against the password hash and salt in another post. I haven't created the post yet because i would like to award you with the points. Please let me konw so that i can assign points for you on this topic before opening another post about this.
Thanks in advance!!
I would be happy to do that.
ASKER
Hi jbeasle3,
Thanks, i really appreciate it, the following link is below for the new post. Once i know that you received it then i will close this post. Thanks again very much!!
https://www.experts-exchange.com/questions/24532865/Authenticate-against-password-hash-salt.html
Thanks, i really appreciate it, the following link is below for the new post. Once i know that you received it then i will close this post. Thanks again very much!!
https://www.experts-exchange.com/questions/24532865/Authenticate-against-password-hash-salt.html
ASKER
thanks for the help.
ASKER
I added the following information below to my button click event and was wondering how to implement the functions you created to my click event.
Do i have to include the functions in a page_load? Or just add the functions somehow to my click event which i'm not sure how to.
Protected Sub btnAddUser_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUser.Click
If Page.IsValid Then
Dim conn As SqlConnection
Dim Insertcomm As SqlCommand
Dim connectionString As String = ConfigurationManager.Conne
conn = New SqlConnection(connectionSt
Insertcomm = New SqlCommand("SaltInsert", conn)
Insertcomm.CommandType = CommandType.StoredProcedur
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@us
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@pa
Insertcomm.Parameters.Add(
Insertcomm.Parameters("@pa
Try
conn.Open()
Insertcomm.ExecuteNonQuery
Catch ex As Exception
ex.Message.ToString()
Finally
conn.Close()
End Try
End If
End Sub