Solved

ASP.NET Salting and Hash Password

Posted on 2009-06-27
10
867 Views
Last Modified: 2012-05-07
Hello,

I'm looking to see if someone in EE could help me create a small Salt and Hash function so that when a user creates a password it is hashed in the DB. Note, I'm using ASP.NET 3.5 VB and i'm using my own DB store and not the ASP.NET Membership and Role Provider. This application is very small and i would like a way to just hash the password and a way to check against it when a user tries to login.

Username: txtUsername
Password: txtPassword

Button Click: btnCreateUser - this event would create the user in the DB along with there Hashed password.


Thanks in Advance!!!
Button Click: btnLogin - this event would check to see that the Salted password is correct
0
Comment
Question by:asp_net2
  • 6
  • 4
10 Comments
 
LVL 3

Accepted Solution

by:
jbeasle3 earned 500 total points
Comment Utility
See the attached code for creating the hashed password.  Then after the user keys in the password, hash it, concatenate the salt to the hashed password and compare it to the stored hashed password & salt.  For the code to work, you must import System.Web.Security and System.Security.Crytography into your code file.

The CreateSalt function generates a random number of digits and returns the base 64 string for the number of digits requested (specified by intSize).

The CreatePasswordHash function takes the password keyed by the user and the generated salt, concatenates them together, encrypts it and returns the encrypted value.

You must remember to store the salt as well as the encrypted password in your database.  You must concatenate the salt each time you compare passwords.
    Public Function gfCreatePasswordHash(ByVal vstrPwd As String, ByVal vstrSalt As String) As String

        Dim strSaltAndPwd As String = String.Concat(vstrPwd, vstrSalt)

        Dim strHashedPwd As String = FormsAuthentication.HashPasswordForStoringInConfigFile(strSaltAndPwd, "SHA1")

        Return strHashedPwd

    End Function
 

    Public Function gfCreateSalt(ByVal intSize As Integer) As String

        ' Generate a cryptographic random number using the cryptographic

        ' service provider

        Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider

        Dim buff() As Byte = New Byte(intSize) {}

        rng.GetBytes(buff)

        ' Return a Base64 string representation of the random number

        Return Convert.ToBase64String(buff)

    End Function

Open in new window

0
 
LVL 4

Author Comment

by:asp_net2
Comment Utility
Hi jbeasle3,

I added the following information below to my button click event and was wondering how to implement the functions you created to my click event.

Do i have to include the functions in a page_load? Or just add the functions somehow to my click event which i'm not sure how to.


Protected Sub btnAddUser_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUser.Click
        If Page.IsValid Then

            Dim conn As SqlConnection
            Dim Insertcomm As SqlCommand

            Dim connectionString As String = ConfigurationManager.ConnectionStrings("DemoSql").ConnectionString

            conn = New SqlConnection(connectionString)

            Insertcomm = New SqlCommand("SaltInsert", conn)
            Insertcomm.CommandType = CommandType.StoredProcedure

            Insertcomm.Parameters.Add("@username", System.Data.SqlDbType.VarChar, 50)
            Insertcomm.Parameters("@username").Value = txtUsername.Text

            Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash()

            Insertcomm.Parameters.Add("@passwordsalt", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordsalt").Value = gfCreateSalt()

            Try
                conn.Open()

                Insertcomm.ExecuteNonQuery()

            Catch ex As Exception
                ex.Message.ToString()

            Finally
                conn.Close()
            End Try
        End If

    End Sub
0
 
LVL 3

Expert Comment

by:jbeasle3
Comment Utility
You were almost there.   The salt has to be created first.  Here's how I would do it:

dim strSalt as string

strSalt = gfCreateSalt(5)   'This creates a 5-digit salt
Insertcomm.Parameters.Add("@passwordsalt", System.Data.SqlDbType.VarChar, 128)
Insertcomm.Parameters("@passwordsalt").Value = strSalt

Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash(strUserPswd, strSalt)  'strSalt was created above and strUserPswd is what the user keyed in

You can put the functions in any module where this code page can see them.  I tend to put them in a common module so any page that needs to can call them.



0
 
LVL 4

Author Comment

by:asp_net2
Comment Utility
Hi jbeasle3,

Ok, ran into a little problem. After i implement the code you supplied in the last post i'm getting an error message below which i think has to do with passing the name of my Password TextBox inside as a parameter but i could be wrong.

ERROR MESSAGE:

Name 'strUserPswd' is not declared on the following code snippet below.

Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash(strUserPswd, strSalt)
 'strSalt was created above and strUserPswd is what the user keyed in

The name of my Password TextBox is "txtPassword".

I'm going to post all the code that i currently have thanks to your help just so you can see where i'm at and maybe it was a small mistake on my end.


CODE:

Public Function gfCreatePasswordHash(ByVal vstrPwd As String, ByVal vstrSalt As String) As String
        Dim strSaltAndPwd As String = String.Concat(vstrPwd, vstrSalt)
        Dim strHashedPwd As String = FormsAuthentication.HashPasswordForStoringInConfigFile(strSaltAndPwd, "SHA1")
        Return strHashedPwd
    End Function

    Public Function gfCreateSalt(ByVal intSize As Integer) As String
        ' Generate a cryptographic random number using the cryptographic
        ' service provider
        Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
        Dim buff() As Byte = New Byte(intSize) {}
        rng.GetBytes(buff)
        ' Return a Base64 string representation of the random number
        Return Convert.ToBase64String(buff)
    End Function

    Protected Sub btnAddUser_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUser.Click
        If Page.IsValid Then

            Dim strSalt As String

            Dim conn As SqlConnection
            Dim Insertcomm As SqlCommand

            Dim connectionString As String = ConfigurationManager.ConnectionStrings("DemoSql").ConnectionString

            conn = New SqlConnection(connectionString)

            Insertcomm = New SqlCommand("SaltInsert", conn)
            Insertcomm.CommandType = CommandType.StoredProcedure

            Insertcomm.Parameters.Add("@username", System.Data.SqlDbType.VarChar, 50)
            Insertcomm.Parameters("@username").Value = txtUsername.Text

            Insertcomm.Parameters.Add("@passwordhash", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordhash").Value = gfCreatePasswordHash(strUserPswd, strSalt)
            'strSalt was created above and strUserPswd is what the user keyed in

            strSalt = gfCreateSalt(5)   'This creates a 5-digit salt
            Insertcomm.Parameters.Add("@passwordsalt", System.Data.SqlDbType.VarChar, 128)
            Insertcomm.Parameters("@passwordsalt").Value = strSalt

            Try
                conn.Open()

                Insertcomm.ExecuteNonQuery()

            Catch ex As Exception
                ex.Message.ToString()

            Finally
                conn.Close()
            End Try
        End If

    End Sub
0
 
LVL 3

Expert Comment

by:jbeasle3
Comment Utility
ok...Just substitute txtPassword.Text for strUserPswd.  Also, it's VERY IMPORTANT that you do the salt routine BEFORE the password hash because the password routine uses it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Author Comment

by:asp_net2
Comment Utility
Hi jbeasle3,

That worked out as needed. Now if i wanted to increase the Salt size would i just change the integer in strSalt = gfCreateSalt(5) only?

Also, now i need for a way to login in with the credentials that i created. I can give you my custom login that i created, would you be willing to help me with the login event if i supplied you the code that i have now?

If so, then i will create another post different from this one and supply the link to you so that i can award you 500 points for each post.

Let me know,

0
 
LVL 4

Author Comment

by:asp_net2
Comment Utility
Hi jbeasle3,

Are you stil able to help with post 24735608? Before i close the ticket i wanted to know if you could help me with authenticating against the password hash and salt in another post. I haven't created the post yet because i would like to award you with the points. Please let me konw so that i can assign points for you on this topic before opening another post about this.

Thanks in advance!!
0
 
LVL 3

Expert Comment

by:jbeasle3
Comment Utility
I would be happy to do that.
0
 
LVL 4

Author Comment

by:asp_net2
Comment Utility
Hi jbeasle3,

Thanks, i really appreciate it, the following link is below for the new post. Once i know that you received it then i will close this post. Thanks again very much!!

http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_24532865.html
0
 
LVL 4

Author Closing Comment

by:asp_net2
Comment Utility
thanks for the help.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

AJAX ModalPopupExtender has a required property "TargetControlID" which may seem to be very confusing to new users. It means the server control that will be extended by the ModalPopup, for instance, if when you click a button, a ModalPopup displays,…
In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now