Salted Password Hashing. Am I doing it right in ASP.NET environment?

Question

I am developing a website by using ASP.NET. I want to implement login authentication for my users. I am using SALT HASH method to securely save users' passwords to the DB. By looking at various codes I wrote a code like below to generate the SALT and the Hashed passwords to store in Database.

    private string hashedPassword;
    private string Salt;
    private string SaltPlusPassword;
    private const byte saltSize = 24;
    byte[] saltArray;
    byte[] hashedPasswordArray;
    byte[] bytes;

   public void Save_Login(string passWord)
    {
        using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
        {
            saltArray = new byte[saltSize];
            rng.GetBytes(saltArray);
        }
        Salt = Convert.ToBase64String(saltArray);
        SaltPlusPassword = String.Format("{0}{1}", Salt, passWord);
        using (SHA256 sha = SHA256.Create())
        {
            bytes = Encoding.UTF8.GetBytes(SaltPlusPassword);
            hashedPasswordArray = sha.ComputeHash(bytes);
        }


        hashedPassword = Convert.ToBase64String(hashedPasswordArray);
    }

//Salt will be save to DB

//hashedPassword will be save to DB.

So I have few questions.

1) I read in an article that saying "make your salt is at least as long as the hash function's output" ok. What are the sizes for saltArray, hashedPasswordArray and bytes arrays which are declared in my code? I used saltArray size as 24. Is it ok?

2) What will happen if I use ?

bytes = Encoding.Unicode.GetBytes(SaltPlusPassword);

instead of

bytes = Encoding.UTF8.GetBytes(SaltPlusPassword);

3) What is the datatype should I use to store salt and the hashed password in the DB? ( My db is MYSQL )

4) Is there any performance difference if I use SHA256Managed instead of SHA256? Which is best?

5) Finally am I doing this in the right way? What are the weaknesses in above code? What are your suggestions?

No arijit. Its not a static salt code. It is randomly generating by using RNGCryptoServiceProvider. — Prageeth Liyanage, Nov 18 '14 at 09:28
Arijit, I think you should read more about salted password hashing. :) .Here is a link for you. https://crackstation.net/hashing-security.htm Salt should be randomly generate and you have to save both the salt and the hash in the user's database record. — Prageeth Liyanage, Nov 19 '14 at 12:11
I never save thew salt password what I usually do in this case is Store the Hashed Password in db get the password generate the salt in my application add password and salt when user try to login hash the password and the salt using jquery and sent that data to my applicaiton so the password that travels is always different — Arijit Mukherjee, Nov 20 '14 at 07:48

score 0 · Answer 1 · answered Nov 18 '14 at 06:10

0

Rather than deal with all these issues, why not use the built in identity management tools provided by ASP.NET. See here

http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity

Much more common and robust.

answered Nov 18 '14 at 06:10

sonofaforester

337
1
10

1

How this is related to securing the user passwords? :O – Prageeth Liyanage Nov 18 '14 at 06:20
Because it will secure the user's passwords for you. It's the defacto way of doing it. – sonofaforester Nov 18 '14 at 06:21

Salted Password Hashing. Am I doing it right in ASP.NET environment?

1 Answers1