How to hash users password in the database

Question

2.50/5 (2 votes)

See more:

Dear all,

I have started on creating hashing password and I am little unsure, how do i go about creating and storing the hash password in the database. I am trying to encrypt my username and password, when i send them over a web-service.

User class:

C#

     public string CalculateHash(string text)
{
    MD5 md5 = new MD5CryptoServiceProvider();

    //compute hash from the bytes of text
    md5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(text));

    //get hash result after compute it
    byte[] result = md5.Hash;

    StringBuilder strBuilder = new StringBuilder();
    for (int i = 0; i < result.Length; i++)
    {
        //change it into 2 hexadecimal digits
        //for each byte
        strBuilder.Append(result[i].ToString("x2"));
    }

    return strBuilder.ToString();
}

public api_login Validate2(string userName, string Password)
{
    // Find a user that matches that username and password (this will only validate if both match)
    return db.api_login.FirstOrDefault(u => u.username == userName && u.password == Password);

}

if anyone would suggest any feedback, into how can i get the password to hash in the database, when the user login, do I do that in the basic auth class or user class.

Many thanks

Many thanks

Posted 19-Mar-14 5:49am

miss786

Updated 20-Mar-14 8:00am

v3

Add a Solution

Comments

Sergey Alexandrovich Kryukov 19-Mar-14 12:10pm

You are doing gibberish. Why would you use base64, ever. You are not even trying to calculate cryptographic hash.
—SA

miss786 19-Mar-14 12:15pm

hi, I currently new into this encryption code, if you can advise a better alternative, then I happy to look into and update my code. any feedback is much welcomed.

Sergey Alexandrovich Kryukov 19-Mar-14 12:17pm

I just did; did you notice Solution 2? The answer is pretty comprehensive; this is all you need.
Will you accept it formally (green "Accept" button)?
—SA

ZurdoDev 19-Mar-14 21:07pm

I looked at both solutions and am not convinced either one actually answers your question. If not, please respond and elaborate on what exactly you are looking for.

miss786 20-Mar-14 6:33am

Thank you so much for your response ryan. I am trying to encrypt the password stored in my database, when i send them over using web api (http). From the suggestions below, I am currently looking into "SHA512 or SHA256:" hash algorithms. I manage to create crypto class using the following code as a framework:(http://www.java2s.com/Code/CSharp/Security/CreatePasswordHash.htm.)

I am still little unsure of the process of, how do I create hash password when i send the username and password over the web api, and when would i store the hash password in the database. I already has existing users in the database which do not have hash password, so is it possible to encrypt their password, when sending details through web api. I hope this clarifies any misunderstanding regarding my problem.

Any help much appreciated.

ZurdoDev 20-Mar-14 6:59am

First of all, you seem to be asking questions that you need to decide anyway so I'm not sure how to answer you but I'll try to give you some info.

1. How does the api you are calling expect credentials to be passed? It may be as simple as supplying a username and password. Many APIs work that way.
2. A hashed password cannot be unhashed. This means that when you pass the password to the api it will hash the password and compare the hash to the value it has stored on its end to know whether or not it is the same. You don't pass the hash.
3. If you want to hash your passwords that's all you do. When the user creates their password, you hash it and store the hashed password in your db. Then when they login with their password, you take the password they typed in and hash it and compare it to the hash value you have stored in your db and if they are the same then it means the password is valid. However, this is all on your end and has nothing to do with the API.
4. Encryption is similar to #3 except that you can decrypt it.

I still think #1 answers your question. If you are calling an API you need to follow the documentation for it. Some APIs only require a username and pass and you don't need to encrypt or hash anything. Some require attaching a cert. Some require posting login credentials, it all depends. You need to find that out first.

miss786 20-Mar-14 7:31am

Thank you for clarifying and giving helpful suggestions. I understand a hash password is created when a new user is created. Is it possible to create hash for existing users. for example, when I pass user's password through API, can i get the code to create hash password then, is this feasible.

Sorry for not clarifying my issue clearer, but I will be passing user's username and password through an api, which I have created (not using external api).

Many thanks for your support and I really appreciate your time.

ZurdoDev 20-Mar-14 7:45am

You created the API? Can you give more detail then?

You can hash the password anytime you want. Again, this seems like something you'll have to decide on so I'm not quite sure on where your confusion in. A hash is just a value you store in the database just like any other value so when and how it gets created is up to you.

miss786 20-Mar-14 8:10am

This is great. while i was research hash and salt, it only showed hashing new users, so I was unaware of this information. Many thanks for this information. I can finally move forward.

Its really basic API which call data and the data is authenticated using basic authentication. I will updated my original post with api and hash code for further reference.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2014-03-19T06:15:00

Please see my comment to the question. It is unclear what you are trying to do, but it's clear why. This is a good idea to use cryptographic hash function for authentication: http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

First of all, you should not use a hash algorithm from SHA-1 family or MD5; they are considered as broken, not suitable for passwords. Better use one of the SHA-2 algorithms. Please see:
http://en.wikipedia.org/wiki/MD5[^],
http://en.wikipedia.org/wiki/SHA-1[^],
http://en.wikipedia.org/wiki/SHA-2[^].

The .NET FCL implementations are here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm%28v=vs.110%29.aspx[^].

Better use SHA512 or SHA256:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha512(v=vs.110).aspx[^],
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256(v=vs.110).aspx[^].

I never heard that using any of these implementation created any problems.

—SA

OriginalGriff · Accepted Answer · 2014-03-19T06:14:00

Solution 1

Don't encrypt usernames or passwords, and do remember that Base64 is not an encryption method, or a hashing algorithm, or anything useful in this context!

Have a look at this: Password Storage: How to do it.[^] - it should help!

Posted 19-Mar-14 6:14am

OriginalGriff

Comments

miss786 19-Mar-14 13:39pm

Thank you so much for your feedback. I am still little unclear, how do i go about storing the hash password or encrypting the passwords, when sending them over the http. if you get time, could you provide some guide or reference to any learning material to look into. Many thanks.

OriginalGriff 19-Mar-14 15:03pm

You can't, in practice, unless you use HTTPS and for that you need to buy a certificate.
The problem is that encryption needs a key - and both ends need to know it. That means that the key needs to be transferred from the Server to the Client - which means the encryption is about as useful as a chocolate teapot.

If you need to secure logins, then you have to move to secure data r=transfer - and that means HTTPS just like the banks and shopping sites use. (And if you don't, then why would any user trust your login system to be secure anyway? If it isn't green in the address bar, it isn't secure!)