How to correctly use salted and hashed passwords

Question

0.00/5 (No votes)

See more:

C#

I'm having difficulties login in a page i've written using a salt-hashed password. Actually the code generates a 32-byte random salt taht it adds to the text inputed as password. then the hash of this is computed and stored in a table. However when one has to login, the text he inputs as password is salted with the same salt then hashed with the same hash function. if a match is detetcted then login is granted else, login is refused. I have difficulties implementing that.

Help please . my code below

What I have tried:

C#

con.Open();
string salt = SaltF(32);
string Md = @"select Username, SH from SecureUser where Username= @usrn and SH= @sh";

SqlParameter usrname = new SqlParameter();
usrname.ParameterName = "@usrn";
usrname.Value = comboBox1.Text;
SqlParameter Sha = new SqlParameter();
Sha.ParameterName = "@sh";
Sha.Value = SaltHashF(salt, textBox2.Text);

SqlCommand cmdLd = new SqlCommand(Md, con);
cmdLd.Parameters.Add(usrname);
cmdLd.Parameters.Add(Sha);

SqlDataReader dr;
int K = 0;
dr = cmdLd.ExecuteReader();
while(dr.Read())
{
    K++;
}

if (K==1)
{
    con.Close();
    MessageBox.Show("Login Successful", " ", MessageBoxButtons.OK, MessageBoxIcon.Information);
    textBox2.Clear();
    ChangePasswordPlatform cpp = new ChangePasswordPlatform();
    cpp.Tag = this;
    cpp.Show(this);
    Hide();
}
else
{
    MessageBox.Show("Invalid username or password", " ", MessageBoxButtons.OK, MessageBoxIcon.Warning);
    textBox2.Clear();
}

C#

private static string SaltF(int size) { using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider()) { byte[] bytes = new byte[size]; rng.GetBytes(bytes); return Convert.ToBase64String(bytes); } } private static string SaltHashF(string salt, string pwd) { string PwdAndSalt = string.Concat(salt, pwd); string PwdSaltHash = Hash256F(PwdAndSalt); return PwdSaltHash; }

Posted 9-Nov-16 1:22am

Nganku Junior

Updated 9-Nov-16 2:48am

Add a Solution

2 solutions

Solution 2

See Secure Password Authentication Explained Simply[^].

Posted 9-Nov-16 2:48am

Richard MacCutchan

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Accepted Answer · 2016-11-09T02:11:00

You have to use the same salt with each user. So generate salt for user1, let's say "salt1". You then add that to their password and hash it then store the salt and the hashed result; hash(salt + pwd) (let's say it's ABCDEFG)

SQL

UserID, Username, Salt, Hash
1, user1, salt1, ABCDEFG

When that user logs in you read their salt from the database and add it to the password they supplied in the password box and hash it to see if it matches the stored hash.

C#

GenerateHash(dr["Salt"] + textBox2.Text)

What your code is doing is generating new salt each time so if you salt user1's password with "salt1" when they create their account then when they log in salt it with salt2 then the resulting hashes won't match as

hash("salt1" + "password") <> hash("salt2" + "password")

If you google there are articles that show you how to do all of this.