Click here to Skip to main content
15,867,756 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I am following an example on how to create and verify a secured password with PBKDF2 which I found from this website

What I have tried:

I created a class called "HashCode" which I am accessing from the registration and login form and I am able to hash and salt the password during user registration and it works just fine.

Here is the code that hash and salt the password:



class HashCode
{
    public string GetHashPassword(string password)
    {
        string hashPass = string.Empty;

        byte[] salt;
        new RNGCryptoServiceProvider().GetBytes(salt = new byte[20]);

        var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 100000);
        byte[] hash = pbkdf2.GetBytes(20);

        byte[] hashBytes = new byte[40];
        Array.Copy(salt, 0, hashBytes, 0, 20);
        Array.Copy(hash, 0, hashBytes, 20, 20);

        hashPass = Convert.ToBase64String(hashBytes);

        return hashPass;
    }


And this is how I insert in it into the database:

SQL
command.Parameters.AddWithValue("@Password", hc.GetHashPassword(TxtBox_Password.Text));


Here is the code that Verifies the user's login password:

public bool IsValidPassword(string password, string hashPass)
    {
        bool result = true;

        byte[] hashBytes = Convert.FromBase64String(hashPass);
        byte[] salt = new byte[20];
        Array.Copy(hashBytes, 0, salt, 0, 20);
        var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 100000);
        byte[] hash = pbkdf2.GetBytes(20);

        for (int i = 0; i < 20; i++)
        {
            if (hashBytes[i + 20] != hash[i])
            {
                throw new UnauthorizedAccessException();
            }
        }

        return result;
    }


And on my LoginForm I have:

command.Parameters.AddWithValue("@Password", hc.IsValidPassword(TxtBox_Password.Txt));


But it's not working. Any help would be so much appreciated!
Posted
Updated 3-Apr-20 0:05am
Comments
phil.o 3-Apr-20 6:02am    
Please define 'not working'.
Member 14766911 3-Apr-20 6:09am    
I think the 'IsValidPassword' takes two parameters (string password, string hashPass) and I don't know how to add them to the TextBox_Password.Text
F-ES Sitecore 3-Apr-20 7:35am    
You have to store the salt as well as the user's hashed password to ensure you use the salt that matches the one used in the hash. You really need to read up on using salt with hashed passwords as it looks like you don't really understand the underlying concept.

When they create their password you get a random salt and store the salt as well as

hash(password + salt)

when they try and login you retrieve the salt you used to hash their password and you do

hash(loginPassword + usersSalt)

to see if that hash matches what is stored in the database.

1 solution

Don't do that.
Instead, call hc.GetHashPassword on the password they tried to log in with, and compare that with the value stored in the DB. Provided the salts are the same - and if they aren't you'll never get a good match or it's a pathetic salting method - the two Base64 strings should be the same.

But ... you'd be better off using a "proper" hashing algorithm, such as SHA.
This may help: Password Storage: How to do it.[^]
 
Share this answer
 
Comments
Member 14766911 3-Apr-20 6:30am    
I changed:

command.Parameters.AddWithValue("@Password", hc.IsValidPassword(TxtBox_Password.Txt));

To:

command.Parameters.AddWithValue("@Password", hc.GetHashPassword(TxtBox_Password.Txt));

And I entered the correct password, but I'm now getting an error msg that I set if the passwords don't match.
OriginalGriff 3-Apr-20 6:56am    
Read what I said!
Member 14766911 5-Apr-20 12:57pm    
The problem was with my select statement.
Thanks for the help!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900