Click here to Skip to main content
15,662,484 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
public static class EncryptionUtilities
        private const int SALT_SIZE = 8;
        private const int NUM_ITERATIONS = 1000;

        private static readonly RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

        /// <summary>
        /// Creates a signature for a password.
        /// </summary>
        /// <param name="password">The password to hash.</param>
        /// <returns>the "salt:hash" for the password.</returns>
        public static string CreatePasswordSalt(string password)
            byte[] buf = new byte[SALT_SIZE];
            string salt = Convert.ToBase64String(buf);

            Rfc2898DeriveBytes deriver2898 = new Rfc2898DeriveBytes(password.Trim(), buf, NUM_ITERATIONS);
            string hash = Convert.ToBase64String(deriver2898.GetBytes(16));
            return salt + ':' + hash;

        /// <summary>
        /// Validate if a password will generate the passed in salt:hash.
        /// </summary>
        /// <param name="password">The password to validate.</param>
        /// <param name="saltHash">The "salt:hash" this password should generate.</param>
        /// <returns>true if we have a match.</returns>
        public static bool IsPasswordValid(string password, string saltHash)
            string[] parts = saltHash.Split(new[] { ':' }, StringSplitOptions.RemoveEmptyEntries);
            if (parts.Length != 2)
                return false;
            byte[] buf = Convert.FromBase64String(parts[0]);
            Rfc2898DeriveBytes deriver2898 = new Rfc2898DeriveBytes(password.Trim(), buf, NUM_ITERATIONS);
            string computedHash = Convert.ToBase64String(deriver2898.GetBytes(16));
            return parts[1].Equals(computedHash);

protected void Button1_Click(object sender, EventArgs e)

    SqlCommand cmd = new SqlCommand();
    cmd.Connection = con;

    cmd.CommandText = "select * from tb_employees where emp_email = @emp_email and emp_password = @emp_password";
    cmd.Parameters.AddWithValue("@emp_email", TextBox1.Text);
    cmd.Parameters.AddWithValue("@emp_password", EncryptionUtilities.IsPasswordValid(TextBox2.Text.ToString(), TextBox2.Text));

    SqlDataReader dr = cmd.ExecuteReader();

    while (dr.Read())

CPallini 10-Dec-15 3:03am    
Ho, code dump. What is the question?
Randy Ortan 10-Dec-15 3:57am    
how to match hash with salt password

1 solution

I'd advise you to first learn and understand what it is you're trying to do;[^]

The above link has c# examples, and there are other examples too if you google "c# hash passwords with salt".

Second of all you're passing the result of a bool function (IsPasswordValue) to your SQL so your SQL is going to be

select * from tb_employees where emp_email = '' and emp_password = true

I'm going to assume your emp_password field contains the hashed\encrypted password and not just true or false. When the user creates their account you generate the hashed version of their password (including the salt). You save the hashed password as well as the salt that was used in the database against that user. When they login you retrieve their hashed password and their salt, you then re-hash the password they supplied in the password box with the salt you retrieved from the database, and see if that matches the hashed password you retrieved from the database. If they match the person has logged in.
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900