0

I have hashed the passwords using SHA256. I have generated a random salt generator which every time generates a random salt which is added up to the password, which then gets encrypted and is being stored in the database. Now I am trying to authenticate the users and I am not sure how to do that. Here is what I am doing:

public static String ByteArrayToHexString(byte[] ba)
    {
        System.Text.StringBuilder hex = new StringBuilder(ba.Length * 2);
        foreach (byte b in ba)
        {
            hex.AppendFormat("{0:x2}", b);
        }
        return hex.ToString();
    }

    public String CreateSalt(int size) // Function to generate a random salt 
    {
        var rng = new System.Security.Cryptography.RNGCryptoServiceProvider();
        var buff = new byte[size];
        rng.GetBytes(buff);
        return Convert.ToBase64String(buff);
    }

    public String GenerateSHA256Hash(String input, String salt) // Function to add user input and randomly generated salt
    {
        byte[] bytes = System.Text.Encoding.UTF8.GetBytes(input + salt);
        System.Security.Cryptography.SHA256Managed sha256hashstring = new System.Security.Cryptography.SHA256Managed();
        byte[] hash = sha256hashstring.ComputeHash(bytes);
        return ByteArrayToHexString(hash);
    }

I can store it successfully but now how can I authenticate the users? Thanks in Advance...!!! :)

Improve this question
1

2 Answers 2

Reset to default
1

To authenticate users, you must store the salt with the user record. You do not need to encrypt the salt.

When someone tries to log in, you retrieve both the salt and the hash for the user. You use the salt to hash the attempted password and you compare this new hash with the hash you had saved for the user. If you combine the same salt with the same input in the same way as the original, and use the same hashing algorithm, you'll end up with the same hash, and so you can authenticate users by comparing the hashes.

I strongly urge you, though, to avoid writing this code yourself at all. It's just so easy to write authentication code that seems to work correctly — let's good attempts in, and seems to keep bad attempts out — but is subtly flawed in ways such that you come back a year later and find out you were hacked six months ago.

Instead, rely as much as possible on whatever solution is provided for your platform. If there isn't one availalbe, find a pre-existing library. Security and authentication code is one thing you want to leave to experts.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Can you please elaborate more on this. I mean can you show me an example? I have fetched the username and password entered by the user. I am trying to fetch the salt from the database so that I can add it to the password entered by the user. But I am not able to do so.
0
  1. You have hashed your passwords not encrypted.
  2. You need also to save the salt in some place. if not you cannot authenticate.

After that, when user send their pass you can use the same function GenerateSHA256Hash() to check if user pass + salt return same hash like you have previously saved.

Improve this answer

2 Comments

But for this, I have to fetch salt from database and I am not able to fetch successfully :(
SHA256 is the wrong function to use for this. See Our password hashing has no clothes.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.