In this post, I show you how to protect password using hash-salt mechanism.
Hashing password using salt is one of the best practices in protecting user accounts from hackers and who you don't want anyone to see plain-text passwords in databases or text files. This is really great. In case hackers have stolen databases, they also need more time to decryte them. It won't be easy at all. At the same time, you have time to reset all passwords or suggest users to change passwords right away.
My background is .NET developer. That's why I have written two simple functions in C# and VB.NET as below.
C#
public class SecurityHelper
{
public static string GenerateSalt(int nSalt)
{
var saltBytes = new byte[nSalt];
using (var provider = new RNGCryptoServiceProvider())
{
provider.GetNonZeroBytes(saltBytes);
}
return Convert.ToBase64String(saltBytes);
}
public static string HashPassword(string password, string salt, int nIterations, int nHash)
{
var saltBytes = Convert.FromBase64String(salt);
using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, nIterations))
{
return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash));
}
}
}
VB.NET
Public Class SecurityHelper
Public Shared Function GenerateSalt(ByVal nSalt As Integer) As String
Dim saltBytes = New Byte(nSalt) {}
Using provider = New RNGCryptoServiceProvider()
provider.GetNonZeroBytes(saltBytes)
End Using
Return Convert.ToBase64String(saltBytes)
End Function
Public Shared Function HashPassword(ByVal password As String, ByVal salt As String, ByVal nIterations As Integer, ByVal nHash As Integer) As String
Dim saltBytes = Convert.FromBase64String(salt)
Using rfc2898DeriveBytes = New Rfc2898DeriveBytes(password, saltBytes, nIterations)
Return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash))
End Using
End Function
End Class
For example:
string pwd = "123Abc#@";
string salt = SecurityHelper.GenerateSalt(70);
string pwdHashed = SecurityHelper.HashPassword(pwd, salt, 10101, 70);
Console.WriteLine(pwdHashed);
Console.WriteLine(salt);
Hope you enjoy this post.
Happy coding :)
Top comments (4)
From what you have, this is how you would verify password:
I guess the question by @parajdox was - How to verify the user against the Hashed password
how do we decrypt this?
The main point of any hash algorithm is that it works only one way.
Decrypt should be impossible after the hash operation is done.
Generally this works perfect for passwords because there is no need to decrypt the hashed password, you just need to hash the password inserted in the login form and compare it with the hash saved in the db