3

Please check the class bellow. Here i am doing password hash then comparing this password hash. Now my question is is it best practice to store user password securely? Please advice and you can add better implementation on my class. Thanks in advance

public class myCrypto
    {
        public static string MakeHash(string value)
        {
            return Convert.ToBase64String(SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(value)));
        }

        public static bool CompareHash(string plainString, string hashString)
        {
            if (MakeHash(plainString)==hashString)
            {
                return true;
            }
            else
            {
                return false;
            }
        }
    }
John Doe
  • 317
  • 1
  • 3
  • 8

1 Answers1

3

For more information on hashing take a look at this answer:

What is currently the most secure one-way encryption algorithm?

However, do not under any circumstance ever store your users password. Only ever store the salted Hash. If you do that, even if the hash is discovered by hackers it will be of only limited use to them.

If you do that you can relatively safely store them in a secure database. Make sure that all the security best practices are followed for the database.

Also take a look at: Best way to store password in database.

Note that you are not salting your passwords first. This is a serious security hole, as if a hacker discovers your hashing algorithm and had access to your saved hashes, he can simply compare the hashes to pre-hashed common passwords, to discover the passwords of a large percentage of your users.

A salt is a random piece of text/binary blob you add to the end of a password before hashing. This should be different for each user, and stored with the hash. That way, even two people with the same password will have different hashes, making a hackers life far harder.

This answer discusses salting a password in C#: Hash and salt passwords in C#. It does not explain how the salt is generated. It should be random, and different per user, but does not need to cryptographically secure. System.Random will probably do fine.

Yair Halberstadt
  • 5,733
  • 28
  • 60
  • Wouldn't storing the salt along with the hash defeat its purpose? – FercoCQ Jan 24 '19 at 00:00
  • Nope, since the salt is different for every person. – Yair Halberstadt Jan 24 '19 at 07:46
  • 1
    Whereas previously he could have hashed the thousand most common passwords, compared them to the millions of passwords in the database, and seen which subset of users use those passwords, now doing so would only work for one user at a time, at which point it's no longer worth it – Yair Halberstadt Jan 24 '19 at 07:48
  • I thought the purpose of the salt was to introduce an unkown text into the _probably common_ password so a hacker couldn't just hash common passwords to check against the hash. After further reading I realize it's purpose is what you said, just a deterrent because of the extra time needed to attack the whole passwords list. Did I always misunderstand the salt's purpose? Or was it meant to be secret at some point in history? – FercoCQ Jan 26 '19 at 20:57