How to compare this Salted password when user logs in?

Question

I've used this method to get salted password. I don't know how I can compare the stored salted password with user entered password when he/she logs in

string salt = GetRandomSalt();
 string passwordHash = HashPassword(txtPassword.Text, salt);
 IdentityResult result = manager.Create(user, passwordHash);


    public String GetRandomSalt(Int32 size = 12)
    {
        var random = new RNGCryptoServiceProvider();
        var salt = new Byte[size];
        random.GetBytes(salt);
        return Convert.ToBase64String(salt);
    }
    public String HashPassword(String password, String salt)
    {
        var combinedPassword = String.Concat(password, salt);
        var sha256 = new SHA256Managed();
        var bytes = UTF8Encoding.UTF8.GetBytes(combinedPassword);
        var hash = sha256.ComputeHash(bytes);
        return Convert.ToBase64String(hash);
    }

My application is ASP.net MVC 4 and uses identity framework to provide roles and users

I tried using the following code in login form, but it's not working. I guess it's because the manager.Create hashes the salted hash again. How to fix it?

Login.aspx

  bool pwmatch = VerifyPassword(txtUserName.Text, txtPassword.Text);


    public String HashPassword(String password, String salt)
    {
        var combinedPassword = String.Concat(password, salt);
        var sha256 = new SHA256Managed();
        var bytes = UTF8Encoding.UTF8.GetBytes(combinedPassword);
        var hash = sha256.ComputeHash(bytes);
        return Convert.ToBase64String(hash);
    }

    private bool VerifyPassword(string suppliedUserName, string suppliedPassword)
    {
        var userStore = new UserStore<IdentityUser>();
        userStore.Context.Database.Connection.ConnectionString =
            ConfigurationManager.ConnectionStrings["MUSICConnectionString"].ConnectionString;

        var manager = new UserManager<IdentityUser>(userStore);

        var user = manager.FindByName(suppliedUserName);
        bool passwordMatch = false;
        string dbPasswordHash = user.PasswordHash;
        int saltSize = 12;
        string salt =dbPasswordHash.Substring(dbPasswordHash.Length - saltSize);
        string hashedPasswordAndSalt =HashPassword(suppliedPassword, salt);
        // Now verify them.
        passwordMatch = hashedPasswordAndSalt.Equals(dbPasswordHash);
        return passwordMatch;
    }

From just looking over the code, it seems like you are appending the hash to the end of the plaintext password and then computing the sha256 hash. You are taking a saltsize of 12 chars after reading the hash from the db - is that right? how are you sure thats what is being stored in your db? — Adam Tuliper, Jan 23 '16 at 06:58
I'm appending salt at end of plain text and compute sha256 hash. Then reading the salted hash from db. In login page, string salt =dbPasswordHash.Substring(dbPasswordHash.Length - saltSize); this finds the salt. then hash the entered password with salt. I dont know if manager.Create used by identity framework is doing some enctryption and hashing when user is created with IdentityResult result = manager.Create(user, passwordHash); — , Jan 23 '16 at 07:58
also is string salt =dbPasswordHash.Substring(dbPasswordHash.Length - saltSize); this correct? — , Jan 23 '16 at 08:10

score 1 · Answer 1 · edited May 23 '17 at 12:07

1

Notice here how the default hash implementation in Identity is working ASP.NET Identity default Password Hasher, how does it work and is it secure?

ASP.NET Identity already contains a method to verify hashed password - its called VerifyHashedPassword you should be able to use this (unless you migrated in a particular way from prior asp.net membership)

edited May 23 '17 at 12:07

Community

1
1

answered Jan 23 '16 at 08:18

Adam Tuliper

29,982
4
53
71

score 1 · Answer 2 · answered Sep 26 '18 at 08:32

The main idea to use a salt for a specific user/password, but being able to retain the used salt when user logs in again. Here are the logical steps needed to do that:

To Store a Password

Generate a long random salt.
Prepend the salt to the password and hash it with a standard password hashing function.
Save both the salt and the hash in the user's database record.

To Validate a Password

Retrieve the user's salt and hash from the database.
Prepend the salt to the given password and hash it using the same hash function.
Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect.

Ref: https://crackstation.net/hashing-security.htm

How to compare this Salted password when user logs in?

2 Answers2