Hash passwords using crypto and then save to database

Question

Currently i have this code

    // POST: users/Create
    // To protect from overposting attacks, please enable the specific properties you want to bind to, for 
    // more details see http://go.microsoft.com/fwlink/?LinkId=317598.
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult Create([Bind(Include = "id,naam,wachtwoord,email,isadmin")] user user)
    {
        user.wachtwoord = Crypto.HashPassword(user.wachtwoord);
        if (ModelState.IsValid)
        {
            db.users.Add(user);
            db.SaveChanges();
            return RedirectToAction("Index");
        }

        return View(user);
    }

now it breaks if i use the user.wachtwoord=crypto.hashpassword

now my question is in this case whats the proper way to save a user password trough the httppost method and also how can i later unhash the password on a login controller?

Greetings

Do you want to do this for yourself, or wouldn't it be better if you used ASP.NET Identity Framework? Also, what's the error message? — Luke, Sep 16 '15 at 14:15
Encryption is pointless unless the communication method is also encrpyted. The only way to encrypt communications in HTTP is HTTPS. So you should use SSL. — Liam, Sep 16 '15 at 14:34
possible duplicate of [MVC 3 where to encrypt the user's password?](http://stackoverflow.com/questions/12010665/mvc-3-where-to-encrypt-the-users-password) — Liam, Sep 16 '15 at 14:34
Are you asking how to hash a password in order to store in database ***or*** how to transmit a password from client browser to Create Action method? — Win, Sep 16 '15 at 17:59
euhm im trying to hash the plaintext they send on the create action so its plaintext > hash > MS SQL DB and then on the login function it should check if the hash equals the one in the DB — Josh Kapp, Sep 16 '15 at 18:11

Márcio Duarte · Accepted Answer · 2015-09-16T14:45:37.720

1

IF you want to implement a custom solution, one could be: using a one way hashing algorithm with a salt and storing that value in a users table as the user password. You wouldn't be "unhashing" the password on the login controller, you would hash the password that the user has provided in the login controller with the salt and you would compare with the one in the DB (or the repository where you saved the user credentials).

edited Sep 16 '15 at 14:45

answered Sep 16 '15 at 14:23

Márcio Duarte

453
3
5
14

Any examples or links i can look at as im doing this for college and i cant figure it out – Josh Kapp Sep 16 '15 at 14:31
You can refer to https://crackstation.net/hashing-security.htm, for example, There's also some examples of code on how to implement it. – Márcio Duarte Sep 16 '15 at 14:44

score 0 · Answer 2 · answered Sep 16 '15 at 17:49

0

Why don't you consider ASP.NET Identity? There you get this out of the box.

answered Sep 16 '15 at 17:49

hbulens

1,872
3
24
45

Hash passwords using crypto and then save to database

2 Answers2