Validating salt in database

Question

I can store the password hashed and with random salt. How can i validate the password?

    Public Function GetSaltedHash(pw As String, salt As String) As String
    Dim tmp As String = pw & salt


    Using hash As HashAlgorithm = New SHA512Managed()

        Dim saltyPW = Encoding.UTF8.GetBytes(tmp)

        Dim hBytes = hash.ComputeHash(saltyPW)

        Return Convert.ToBase64String(hBytes)
    End Using
End Function

    Public Function CreateNewSalt(size As Integer) As String

    Using rng As New RNGCryptoServiceProvider

        Dim data(If(size < 7, 7, size)) As Byte

        rng.GetBytes(data)

        Return Convert.ToBase64String(data)
    End Using
End Function

Creating a password with hash and random salt

Const SaltSize As Integer = 31
Dim pw As String = txt_regpass.Text
Dim dbSalt = CreateNewSalt(SaltSize)

GetSaltedHash(pw, dbSalt))

The answer that code comes from explains how: run the password attempt thru the same hashing mechanism and compare that result to the one stored. You dont validate the salt but the PW hash - you would need to use the salt originally used to hash the saved PW. — Ňɏssa Pøngjǣrdenlarp, Sep 19 '16 at 14:45
Did you read this? http://stackoverflow.com/questions/1219899/where-do-you-store-your-salt-strings — Thorsten Dittmar, Sep 19 '16 at 14:45
This password hashing code is really weak. At the absolute least you should be using [Bcrypt](http://bcrypt.codeplex.com). — tadman, Sep 19 '16 at 14:58
Using the same hashing don't work. I think because of random salt. — user6737469, Sep 19 '16 at 15:00
You dont use a new salt when testing an attempt *use the salt originally used to hash the saved PW.* — Ňɏssa Pøngjǣrdenlarp, Sep 19 '16 at 15:11
@user6737469 Add another column to your database for the salt. Also, you can store the salt and hash as `BINARY` instead of using Base64 strings` if you want to. — Andrew Morton, Sep 19 '16 at 17:40

score 0 · Answer 1 · edited May 23 '17 at 12:16

0

Essentially you save the salt with the hash value, generally as a prefix—the hash does not need to be secret.

Better: Use bcrypt, it will do it all for you, iterates and is secure.
See the SO answer by Plutonix.

Simply using SHA512 or any hash function without iteration is very weak and vulnerable.

edited May 23 '17 at 12:16

Community

1
1

answered Sep 19 '16 at 15:30

zaph

111,848
21
189
228

Where can i find the DLL files of bcrypt? How to import? – user6737469 Sep 19 '16 at 16:20
See SO question: [.net implementation of bcrypt](http://stackoverflow.com/q/873403/451475) and/or google. Other options in place of `bcrypt` include `scrypt` and `PBKDF2`. `PBKDF2` sometimes has a name similar to `RFC2898`. – zaph Sep 19 '16 at 16:53
1

@zaph PBKDF2 in the .NET framework is the [Rfc2898DeriveBytes Class](https://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes(v=vs.110).aspx). – Andrew Morton Sep 19 '16 at 17:36
Hi! I tried `bcrypt` but i'm having a hard time when verifying the input password and the hashed password from database. – user6737469 Sep 20 '16 at 16:48
See the SO answer by [Plutonix](http://stackoverflow.com/a/39602006/451475) – zaph Sep 20 '16 at 19:17

Validating salt in database

1 Answers1