How to hash users passwords?
Question
please do not mark this as a duplicate because I've already checked multiple posts but none of them helped me.
Asp.net MVC - How to hash password
I'm building a website that has a login page, and I read this post
https://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right#normalhashing
on how to make my login secure.
Now I understand that on each sign up I have to create CSPRNGs(Cryptographically secure pseudorandom number generator) and add it to the password submitted by the user, then hash this mix and store it in the DB, and store the salt for each user because it's a random one for each user. My question is what is the easiest and the most simple way to do that.
In my controller I'm taking the username and the password via this method
public JsonResult Login(LoginModel data)
{
//some code...
//...
}
My login model contain
public class LoginModel
{
public string Username { get; set; }
public string Password { get; set; }
}
so I'm getting the username and password like (string a = data.Username, ...)
I already added this to my project but I don't know how to continue from here
using System.Security.Cryptography;
I know how to save in the DB for sure I just want to know, how to make a random salt (maybe using RNGCryptoServiceProvider), and how to add it to the user's password, and then hash the final result. Thanks for any help.
3 answers
solution1
6 2019-02-14 11:44:29
The answer to every "How do I securely hash passwords" question is the same: YOU DON'T . You're in the business of making unique websites, not in the security business. You don't know what you're doing, and you won't recognize if you're doing something wrong. Until your database leaks out in one way or another, and then you're too late to do anything about it, compromising your users' security.
You use well-researched, battle-hardened, maintained code to store user logins. When you're on ASP.NET MVC, you use ASP.NET Identity . You DO NOT roll your own. Period.
solution2
3 2019-02-14 11:45:05
You could go about adding salt and hashing the password by using a method such as this. Here we send a method a string. This is basically how entity framework hash's a password when you create a user using the login section.
public static string EncodePassword(string password)
{
byte[] salt;
byte[] buffer2;
if (password == null)
{
throw new ArgumentNullException("password");
}
using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, 0x10, 0x3e8))
{
salt = bytes.Salt;
buffer2 = bytes.GetBytes(0x20);
}
byte[] dst = new byte[0x31];
Buffer.BlockCopy(salt, 0, dst, 1, 0x10);
Buffer.BlockCopy(buffer2, 0, dst, 0x11, 0x20);
return Convert.ToBase64String(dst);
}//Entity Framework default way
The above uses using System.Security.Cryptography; and system.Buffer
solution3
-1 ACCPTED 2019-02-15 12:52:26
I did this way, and it's working fine.
I added a new class
public class Helper
{
public String CreateSalt(int size)
{
var rng = new RNGCryptoServiceProvider();
var buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}
public String GenerateSha256Hash(string input, string salt)
{
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(input + salt);
SHA256Managed shaString = new SHA256Managed();
byte[] hash = shaString.ComputeHash(bytes);
return BitConverter.ToString(hash);
}
}
}
And in my controller I added an instance of this class
Helper myHelper = new Helper();
Then I'm passing values to
string salt = myHelper.CreateSalt(5);
string hashedPassword = myHelper.GenerateSha256Hash(*PasswordField*, salt);
hashedPassword = hashedPassword.Replace("-", string.Empty).Substring(0, 16);
I'm removing the "-"from the hashed password and then I'm taking the first 16 characters.
Thanks to @Luke Joshua Park, @gusto2 , @JamesS and @CodeCaster for their help.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.