Generate password hash and save to database

Asked

Viewed 656 times

-1

can someone provide me with a code that addresses how to hash passwords and save them to the database? It’s just that I’ve already tried to do it, but it’s giving me a headache, in case someone has already done it, I would really appreciate it if you would help me in this regard.

3 answers

2

the method below stores the password in two fields, a binary[16] and another binary[64], respectively salt and the password itself.

private byte[] CreateSalt()
{
    var salt = new byte[16];
    using (var provider = new System.Security.Cryptography.RNGCryptoServiceProvider())
    {
        provider.GetBytes(salt);
    }
    return salt;
}

public async void SalvarSenha(dynamic dto)
{
    var temp = new System.Security.Cryptography.HMACSHA512() { Key = Encoding.UTF8.GetBytes(dto.Password) };
    var salt = this.CreateSalt();
    var password = Pbkdf2.ComputeDerivedKey(temp, salt, UInt16.MaxValue, temp.HashSize / 8);
}

to make the above code work, it is necessary to add the following Nuget:

CryptSharp (Official Version)

-1

This code generates MD5 HASH passwords when I need to save them to the encrypted database:

public string HashMd5(string input)
{
    MD5 md5Hash = MD5.Create();

    byte[] data = md5Hash.ComputeHash(Encoding.UTF8.GetBytes(input));

    StringBuilder sBuilder = new StringBuilder();

    for (int i = 0; i < data.Length; i++)
    {
        sBuilder.Append(data[i].ToString("x2"));
    }

    return sBuilder.ToString();
}

I’ve used it for a long time and it always worked well. I got it here

  • 1

    Hash functions are not suitable to protect a password, and among all of them, MD5 is the most failed and broken of all.

  • This information I was not aware of, for what reasons the use of MD5 is not advisable in this case?

  • 2

    A strong cryptographic algorithm has to meet three premises, not suffer from collisions, not be reversible and be costly (to avoid brute force attacks). MD5 as any Hash is not reversible, but unlike SHA2, collisions can occur, and finally every Hash algorithm is very cheap, you can run it millions of times per second.

  • 1

    In my answer, I’m using a Pbkdf2, that uses a Salt unico per user, as Hash function the SHA512 and 65535 interactions.

  • 1

    In practice, it is as if it concatenates the password to salt and performs the hash 65535 times, this process takes about 1 second depending on the processor, so a brute force attack is unfeasible.

  • 1

    @Renato http://answall.com/q/2402/101

  • Living and learning, I have always used MD5, although it is a good solution where I am applying, but I will study the application of the algorithms you mentioned. Thank you very much for the explanation.

  • @Renato, dispo, Hash algorithms are ideas to check the integrity of a file, for example, you pass the hash and a download link, the user downloads the file and generates the hash of the file and compares with your hash, if they are equal is pq the file is not corrupted. and for it to be efficient for this use, it needs to be very fast and lightweight.

Show 3 more comments

-2

Simple hash creation is not a seven-headed bug. You can elaborate one with a simple logic, just search. Or simply take the typed string as a password and call the Gethashcode() extension method to enter and validate user input into the system.

If you want something more advanced and a WEB project, I recommend implementing Membership or Identity.

  • 1

    Do not do such a thing. See http://answall.com/q/2402/101

Browser other questions tagged

You are not signed in. Login or sign up in order to post.