Byte[] password index was outside the bounds of the array

Question

0.00/5 (No votes)

See more:

My MathchPasswordHash method gives an error Index was outside the bounds of the array. thi is my code

this is the error

WebAPI.Middlewares.ExceptionMiddleware[0] Index was outside the bounds of the array. System.IndexOutOfRangeException: Index was outside the bounds of the array. at WebAPI.Data.Repo.UserRepository.MatchPasswordHash(String passwordText, Byte[] password, Byte[] passwordKey)

What I have tried:

private bool MatchPasswordHash(string passwordText, byte[] password, byte[] passwordKey)
    {
         using( var hmac = new HMACSHA512(passwordKey))
        {
            var passwordHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(passwordText));
            
            for(int i=0; i<passwordHash.Length; i++)
            {
                if(passwordHash[i] != password[i])
                    return false;
            }
             return true;
        }
       
    }

Posted 21-Jun-22 9:50am

Member 11151570

Updated 21-Jun-22 21:36pm

Add a Solution

Comments

0x01AA 21-Jun-22 16:37pm

Looks/smells like password has a length of 0. Check it with the debugger.

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Answer 1 · 2022-06-21T09:56:00

Solution 1

Your passwordHash variable is obviously longer than the password. What exactly is this code trying to achieve.

Posted 21-Jun-22 9:56am

Richard MacCutchan

Comments

Member 11151570 21-Jun-22 16:05pm

this code trying to achieve, Authenticate user who is trying to login

Richard MacCutchan 21-Jun-22 16:13pm

Well you are comparing the bytes of two arrays of unequal length. So you need to use your debugger to find out why they are different.

OriginalGriff 21-Jun-22 17:11pm

I'm pretty sure the one passed in is always 13 bytes long ... :laugh:
And you know what it translates to as characters as well :D

Richard MacCutchan 22-Jun-22 3:13am

Forgive me for being dim, but why 13?

OriginalGriff 22-Jun-22 7:27am

"System.Byte[]" has 13 characters ... and is what you get if you use ToString (explicitly or implicitly) on any byte array.
Like if you were storing it in a DB without using parameterised queries, perhaps ... :D

Richard MacCutchan 22-Jun-22 7:45am

Of course.

OriginalGriff · Answer 2 · 2022-06-21T11:00:00

To add to what Richard has said, if the two arrays have a different length, then one of three things are true:
1) They are not the same, so the passwords do not match.
2) Your hashing algorithm is not good at all: it produces different length hashes which is not correct. Hashes should be the same size for all input values, or they are encryption instead ...
3) The stored passwords are garbage.

So start with the debugger to find out exactly what you are comparing - that should give you an idea where the problem lies: with your hashing algorithm or the storage / retrieval of the hashed passwords you are comparing with.

Additionally, hashing passwords is a good idea, but it has to be combined with other info - in other words, passwords need to be salted with addition info related to the account they apply to. If you don't do that - and you don't - then all identical passwords have identical hashes, and that makes them very insecure.

If I had to guess, I'd suspect that your storage is the problem, and that I know exactly how long the password hash you are passing into that method is ...

Richard Deeming · Answer 3 · 2022-06-21T21:36:00

Don't try to reinvent the wheel - particularly when you don't have a thorough understanding of what you're doing.

Aside from the missing salt[^] and password stretching[^], your code is clearly vulnerable to a Timing attack[^]. The chances are that a cryptography expert would find many other problems with it.

.NET already provides perfectly good authentication mechanisms - for example, ASP.NET Identity[^]. Use that instead.

Byte[] password index was outside the bounds of the array

3 solutions

Solution 1

Solution 2

Solution 3

Add your solution here

Preview 0