Password hashing in a C# Windows app, absent ASP.NET's FormsAuthentication?

Question

My Win form app doesn't seem to like FormsAuthentication, I'm totally new to hashing so any help to convert this would be very welcome. Thanks.

//Write hash
protected TextBox tbPassword;
protected Literal liHashedPassword;

{
  string strHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(tbPassword.Text, "sha1");
  liHashedPassword.Text = "Hashed Password is: " + strHashedPassword;    
}

//read hash
string strUserInputtedHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile( tbPassword.Text, "sha1");
if(strUserInputtedHashedPassword == GetUsersHashedPasswordUsingUserName(tbUserName.Text))
{
  // sign-in successful
}
else
{
  // sign-in failed
}

Is the goal to have an app that allows users to specify different credentials than the logged in user? To obtain credentials for use in accessing other services? I'm not sure what you are trying to do. — tvanfosson, Oct 17 '08 at 16:26

Mark Cidade · Answer 1 · 2008-11-10T15:08:36.673

23

using System.Security.Cryptography;

public static string EncodePasswordToBase64(string password)
{  byte[] bytes   = Encoding.Unicode.GetBytes(password);
   byte[] inArray = HashAlgorithm.Create("SHA1").ComputeHash(bytes);
   return Convert.ToBase64String(inArray);
}

edited Nov 10 '08 at 15:08

answered Oct 17 '08 at 16:16

Mark Cidade

98,437
31
224
236

1

Very clean - I tested our two implementations and yours is a bit faster.. 50ms faster on 100,000 iterations, so I'm upvoting it :) – Jarrod Dixon Oct 17 '08 at 18:40
Bear in mind that SHA1 is (apparently) faster, but would be less secure than SHA256. See http://en.wikipedia.org/wiki/SHA256 for more information – Dan Esparza May 27 '10 at 16:46
1

@JarrodDixon: On the contrary. For passwords, you want a _slower_ hash. – SLaks Oct 04 '12 at 02:37

score 3 · Answer 2 · answered Oct 17 '08 at 16:06

The FormsAuthentication is defined in the System.Web.Security namespace which is in the System.Web.dll assembly.

Just because you are writing a WinForm app does not stop you from using that namespace or referencing that assembly; they are just not done by default as they would be for a WebForms app.

score 2 · Answer 3 · answered Oct 04 '12 at 00:46

2

If you are using the hashing for user credentials I suggest you do more than just hashing, you ideally want key stretching as well.

Here is an API to do what you want in a secure fashion:

https://sourceforge.net/projects/pwdtknet/

answered Oct 04 '12 at 00:46

thashiznets

433
4
6

I don't see any source code there. Not sure anyone's going to trust their passwords to a .DLL they don't know anything about. – I. J. Kennedy Oct 26 '12 at 01:08
Source is there in the files area in the folder named "source". Source is provided for exactly the reason you describe. here is a link to the source folder http://sourceforge.net/projects/pwdtknet/files/Source/ – thashiznets Aug 23 '13 at 09:50

score 1 · Answer 4 · answered Oct 17 '08 at 16:03

1

I think it should work. All you need to do is reference System.Web.Security in your code (and add it as a reference in your Visual Studio Project).

answered Oct 17 '08 at 16:03

Vaibhav

11,310
11
51
70

score 1 · Answer 5 · answered Oct 17 '08 at 16:22

If you actually have to 'ship' this forms app, maybe adding System.Web.Security is not such a good idea...

If you need an SHA1 hash, there is a very easy to use .net cryptography library with examples on msdn. The key is to

take what you want to encrypt
turn it into bytes for whichever encoding(ascii, utf*) you are using
Use one of the many hashing schemes builtin to .Net to get the hashed bytes
turn those bytes back into a string in the same encoding as in step 2
Save the resulting hashed string somewhere for later comparison

//step 1 and 2
byte[] data = System.Text.Encoding.Unicode.GetBytes(tbPassword.Text,);
byte[] result; 

//step 3
SHA1 sha = new SHA1CryptoServiceProvider(); 
result = sha.ComputeHash(data);

//step 4
string storableHashResult = System.Text.Encoding.Unicode.ToString(result);

//step 5
    // add your code here

Other than the obvious "it's not meant for WinForms apps", is there a reason why including System.Web.* is not such a good idea? — JasonS, Oct 17 '08 at 16:39
Reminds me of a post by Rick Strahl at http://www.west-wind.com/Weblog/posts/617930.aspx 1. It doesn't "feel" right. 2. It forces System.Web into the loaded assebly list of any application consuming the library. 3. It adds 2.5 megs to the memory footprint just for loading it. 4. etc. (out of room) — Ted, Mar 03 '09 at 23:23

score 1 · Answer 6 · answered Nov 09 '08 at 15:15

1

Could you not use the BitConverter function instead of the "x2" loop?

e.g.

return BitConverter.ToString(hash).Replace("-", "");

answered Nov 09 '08 at 15:15

woany

1,219
2
11
10

Password hashing in a C# Windows app, absent ASP.NET's FormsAuthentication?

6 Answers6