How to hash a password
I\'d like to store the hash of a password on the phone, but I\'m not sure how to do it. I can only seem to find encryption methods. How should the password be hashed properl
-
I use a hash and a salt for my password encryption (it's the same hash that Asp.Net Membership uses):
private string PasswordSalt { get { var rng = new RNGCryptoServiceProvider(); var buff = new byte[32]; rng.GetBytes(buff); return Convert.ToBase64String(buff); } } private string EncodePassword(string password, string salt) { byte[] bytes = Encoding.Unicode.GetBytes(password); byte[] src = Encoding.Unicode.GetBytes(salt); byte[] dst = new byte[src.Length + bytes.Length]; Buffer.BlockCopy(src, 0, dst, 0, src.Length); Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length); HashAlgorithm algorithm = HashAlgorithm.Create("SHA1"); byte[] inarray = algorithm.ComputeHash(dst); return Convert.ToBase64String(inarray); }讨论(0) -
Based on csharptest.net's great answer, I have written a Class for this:
public static class SecurePasswordHasher { /// <summary> /// Size of salt. /// </summary> private const int SaltSize = 16; /// <summary> /// Size of hash. /// </summary> private const int HashSize = 20; /// <summary> /// Creates a hash from a password. /// </summary> /// <param name="password">The password.</param> /// <param name="iterations">Number of iterations.</param> /// <returns>The hash.</returns> public static string Hash(string password, int iterations) { // Create salt byte[] salt; new RNGCryptoServiceProvider().GetBytes(salt = new byte[SaltSize]); // Create hash var pbkdf2 = new Rfc2898DeriveBytes(password, salt, iterations); var hash = pbkdf2.GetBytes(HashSize); // Combine salt and hash var hashBytes = new byte[SaltSize + HashSize]; Array.Copy(salt, 0, hashBytes, 0, SaltSize); Array.Copy(hash, 0, hashBytes, SaltSize, HashSize); // Convert to base64 var base64Hash = Convert.ToBase64String(hashBytes); // Format hash with extra information return string.Format("$MYHASH$V1${0}${1}", iterations, base64Hash); } /// <summary> /// Creates a hash from a password with 10000 iterations /// </summary> /// <param name="password">The password.</param> /// <returns>The hash.</returns> public static string Hash(string password) { return Hash(password, 10000); } /// <summary> /// Checks if hash is supported. /// </summary> /// <param name="hashString">The hash.</param> /// <returns>Is supported?</returns> public static bool IsHashSupported(string hashString) { return hashString.Contains("$MYHASH$V1$"); } /// <summary> /// Verifies a password against a hash. /// </summary> /// <param name="password">The password.</param> /// <param name="hashedPassword">The hash.</param> /// <returns>Could be verified?</returns> public static bool Verify(string password, string hashedPassword) { // Check hash if (!IsHashSupported(hashedPassword)) { throw new NotSupportedException("The hashtype is not supported"); } // Extract iteration and Base64 string var splittedHashString = hashedPassword.Replace("$MYHASH$V1$", "").Split('$'); var iterations = int.Parse(splittedHashString[0]); var base64Hash = splittedHashString[1]; // Get hash bytes var hashBytes = Convert.FromBase64String(base64Hash); // Get salt var salt = new byte[SaltSize]; Array.Copy(hashBytes, 0, salt, 0, SaltSize); // Create hash with given salt var pbkdf2 = new Rfc2898DeriveBytes(password, salt, iterations); byte[] hash = pbkdf2.GetBytes(HashSize); // Get result for (var i = 0; i < HashSize; i++) { if (hashBytes[i + SaltSize] != hash[i]) { return false; } } return true; } }Usage:
// Hash var hash = SecurePasswordHasher.Hash("mypassword"); // Verify var result = SecurePasswordHasher.Verify("mypassword", hash);A sample hash could be this:
$MYHASH$V1$10000$Qhxzi6GNu/Lpy3iUqkeqR/J1hh8y/h5KPDjrv89KzfCVrubnAs you can see, I also have included the iterations in the hash for easy usage and the possibility to upgrade this, if we need to upgrade.
If you are interested in .net core, I also have a .net core version on Code Review.
讨论(0) -
Use the below class to Generate a Salt first. Each user needs to have a different salt, we can save it in the database along with the other user properties. The rounds value decides the number of times the password will be hashed.
For more details: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rfc2898derivebytes.-ctor?view=netcore-3.1#System_Security_Cryptography_Rfc2898DeriveBytes__ctor_System_Byte___System_Byte___System_Int32_
public class HashSaltWithRounds { int saltLength = 32; public byte[] GenerateSalt() { using (var randomNumberGenerator = new RNGCryptoServiceProvider()) { var randomNumber = new byte[saltLength]; randomNumberGenerator.GetBytes(randomNumber); return randomNumber; } } public string HashDataWithRounds(byte[] password, byte[] salt, int rounds) { using(var rfc2898= new Rfc2898DeriveBytes(password, salt, rounds)) { return Convert.ToBase64String(rfc2898.GetBytes(32)); } } }We can call it from a console application as follows. I have hashed the password twice using the same salt.
public class Program { public static void Main(string[] args) { int numberOfIterations = 99; var hashFunction = new HashSaltWithRounds(); string password = "Your Password Here"; byte[] salt = hashFunction.GenerateSalt(); var hashedPassword1 = hashFunction.HashDataWithRounds(Encoding.UTF8.GetBytes(password), salt, numberOfIterations); var hashedPassword2 = hashFunction.HashDataWithRounds(Encoding.UTF8.GetBytes(password), salt, numberOfIterations); Console.WriteLine($"hashedPassword1 :{hashedPassword1}"); Console.WriteLine($"hashedPassword2 :{hashedPassword2}"); Console.WriteLine(hashedPassword1.Equals(hashedPassword2)); Console.ReadLine(); } }讨论(0)
加载中...
- 热议问题