password hash

  • Thread starter Thread starter Phil Townsend
  • Start date Start date
P

Phil Townsend

I have been asked to rewrite some apps that contain databases of
username and passwords to store the passwords as hashes. Getting the
data into a hash format is no problem. however, how do I go about
reading the hash value to validate a user? Is there a method of the
FormsAuthentication class for doing this?
 
Phil,

There is nothing on the FormsAuthentication class that will help you
with this. Generally, you are hooking into that in order to be called when
you want to provide custom authentication. .NET 2.0 (particularly ASP.NET)
has a ton of new classes to help with authentication (which you might be
able to use).

Basically, what you need to do is hash the password that comes in, and
compare it to wherever you store the hash. If you are using one of the
algorithms represented in the System.Security.Cryptography namespace, then
your task should be easy.

Hope this helps.
 
I would use at least a keyed hash such as HMACSHA1 and use the full
resulting hash size to store in the db.
How you get and set values to your DB depends on your needs. You could use
sql, and xml file, txt/csv/tsv (e.g. good ol unix style.)

// Your PW system. Use at least a "keyed" hash.
byte[] key = Encoding.UTF8.GetBytes("my key"); // Use same each time, but
hide.
HMACSHA1 hmac = new HMACSHA1(key);

// Enter Password into db.
string userPW = "letmein";
byte[] pwBytes = Encoding.UTF8.GetBytes(userPW);
byte[] pwHash = hmac.ComputeHash(pwBytes);
// Store pwHash with User's Record in db.

// Verify Password.
byte[] storedHash = pwHash; // TODO: Get pw hash bytes from DB.
string enteredPW = "nogo";
byte[] newHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(enteredPW));

if ( BuffersEqual(storedHash, newHash) )
Console.WriteLine("Password valid.");
else
Console.WriteLine("Invalid password.");


public static bool BuffersEqual(byte[] a1, byte[] a2)
{
if ( a1 == null || a2 == null )
throw new ArgumentNullException("null parm.");
if ( a1.Length != a2.Length )
return false;
Console.WriteLine("Hash1:"+BitConverter.ToString(a1));
Console.WriteLine("Hash2:"+BitConverter.ToString(a2));
for(int i=0; i < a1.Length; i++)
{
if ( a1 != a2 )
return false;
}
return true;
}
 
Back
Top