How to Match Hash with Salt Password in C#

Question

0.00/5 (No votes)

See more:

C#

public static class EncryptionUtilities
    {
        private const int SALT_SIZE = 8;
        private const int NUM_ITERATIONS = 1000;

        private static readonly RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

        /// <summary>
        /// Creates a signature for a password.
        /// </summary>
        /// <param name="password">The password to hash.</param>
        /// <returns>the "salt:hash" for the password.</returns>
        public static string CreatePasswordSalt(string password)
        {
            byte[] buf = new byte[SALT_SIZE];
            rng.GetBytes(buf);
            string salt = Convert.ToBase64String(buf);

            Rfc2898DeriveBytes deriver2898 = new Rfc2898DeriveBytes(password.Trim(), buf, NUM_ITERATIONS);
            string hash = Convert.ToBase64String(deriver2898.GetBytes(16));
            return salt + ':' + hash;
        }

        /// <summary>
        /// Validate if a password will generate the passed in salt:hash.
        /// </summary>
        /// <param name="password">The password to validate.</param>
        /// <param name="saltHash">The "salt:hash" this password should generate.</param>
        /// <returns>true if we have a match.</returns>
        public static bool IsPasswordValid(string password, string saltHash)
        {
            string[] parts = saltHash.Split(new[] { ':' }, StringSplitOptions.RemoveEmptyEntries);
            
            if (parts.Length != 2)
                
                return false;
            byte[] buf = Convert.FromBase64String(parts[0]);
            Rfc2898DeriveBytes deriver2898 = new Rfc2898DeriveBytes(password.Trim(), buf, NUM_ITERATIONS);
            string computedHash = Convert.ToBase64String(deriver2898.GetBytes(16));
            return parts[1].Equals(computedHash);
        }
    }

C#

protected void Button1_Click(object sender, EventArgs e)
{
    con.Open();


    SqlCommand cmd = new SqlCommand();
    cmd.Connection = con;

    cmd.CommandText = "select * from tb_employees where emp_email = @emp_email and emp_password = @emp_password";
    cmd.Parameters.AddWithValue("@emp_email", TextBox1.Text);
    cmd.Parameters.AddWithValue("@emp_password", EncryptionUtilities.IsPasswordValid(TextBox2.Text.ToString(), TextBox2.Text));


    SqlDataReader dr = cmd.ExecuteReader();


    while (dr.Read())
    {
        Response.Write("success");
    }

    dr.Close();
    dr.Dispose();
    con.Close();
}

Posted 9-Dec-15 19:42pm

Randy Ortan

Add a Solution

Comments

CPallini 10-Dec-15 3:03am

Ho, code dump. What is the question?

Randy Ortan 10-Dec-15 3:57am

how to match hash with salt password

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Answer 1 · 2015-12-09T22:37:00

I'd advise you to first learn and understand what it is you're trying to do;

https://crackstation.net/hashing-security.htm[^]

The above link has c# examples, and there are other examples too if you google "c# hash passwords with salt".

Second of all you're passing the result of a bool function (IsPasswordValue) to your SQL so your SQL is going to be

SQL

select * from tb_employees where emp_email = 'me@here.com' and emp_password = true

I'm going to assume your emp_password field contains the hashed\encrypted password and not just true or false. When the user creates their account you generate the hashed version of their password (including the salt). You save the hashed password as well as the salt that was used in the database against that user. When they login you retrieve their hashed password and their salt, you then re-hash the password they supplied in the password box with the salt you retrieved from the database, and see if that matches the hashed password you retrieved from the database. If they match the person has logged in.