-1

Using the following unction you can encrypt an input string with bcrypt.

public static string CreatePassword(string password)
{
    // no need to provide a Salt value since bcrypt does that automatically
    byte[] PasswordBytes = Encoding.ASCII.GetBytes(password);

    return Crypter.Blowfish.Crypt(PasswordBytes);
}

This uses CryptSharp which is awesome, but how do you validate user input against the hash returned by this function?

I can't find any function in the library to do this.

The best way I can think to do it is with the following:

public static bool ValidatePassword(string password, string passwordHash)
{
    // crypt the entered password
    string Crypted = Crypter.Blowfish.Crypt(Encoding.ASCII.GetBytes(password));

    // compare the crypted password against the value in the database
    if (String.Compare(Crypted, passwordHash, false) != 0) return false;

    return true;
}

The only problem with this is that the salt value will not be the same and so the values almost always will not agree.

Ortund
  • 8,095
  • 18
  • 71
  • 139

1 Answers1

0

A salt is supposed to be unique. to avoid database password cracking for same passwords. You should store the salt with the password and if a user logs in you should check the user input and the password with the same salt

In the second argument you can give a custom salt

 string salt = Crypter.Blowfish.GenerateSalt(20);
 Crypter.Blowfish.Crypt(PasswordBytes,salt);

for Validate you can use this

public static bool ValidatePassword(string inputPassword, string storedPassword, string salt)
        {
            // crypt the entered password and stored password
            string CryptedInput = Crypter.Blowfish.Crypt(Encoding.ASCII.GetBytes(inputPassword), salt);
            string CryptedPassword = Crypter.Blowfish.Crypt(Encoding.ASCII.GetBytes(storedPassword), salt);

            // compare the crypted passwords
            return string.Equals(CryptedInput, CryptedPassword);
        }
Pepernoot
  • 3,409
  • 3
  • 21
  • 46
  • 1
    or use `var salt = Crypter.Blowfish.GenerateSalt(6)` – stuartd Sep 13 '16 at 15:06
  • Thought bcrypt generates its own salt values though? Anyway, this addresses the salt issue, but what about validating the password entered against what is stored? – Ortund Sep 13 '16 at 15:23
  • I know I'm late getting back to this but what I'm failing to understand is that if I'm generating a new salt at the login, then the new hash is clearly going to differ from the stored one, so how do I know where to get the stored salt from? – Ortund Oct 25 '16 at 14:05
  • Why would you change the salt at login – Pepernoot Oct 25 '16 at 14:10
  • The purpose of a salt is to make each hash unique. if some users have the same password The hashes aren't the same because you used a salt. Withs means u hashed the password with some random text with it. The salt could be the username or email, But you could also use some random text. It also avoids people from using a rainbow table. That's a database with decrypted hashes. Because your passwords have some random text added to them (The salt). The hashes don't match with the hashes in the rainbow table. – Pepernoot Oct 25 '16 at 14:19
  • So you have to store your salt in a database. And when comparing user input with hash in the database. You have to get the salt from the database and hash the input with that salt. – Pepernoot Oct 25 '16 at 14:24
  • **Your question** the new hash is clearly going to differ from the stored one, so how do I know where to get the stored salt from? **Answer** You have to store your salt you used to hash your password in a database or a file. And when a user logs in you have to use the salt you stored. and not create a new one because that will give you a different hash because the salt is not the same as the salt you created the password with – Pepernoot Oct 25 '16 at 14:35
  • The beauty of CryptSharp is that you only need do this: `bool isValid = Crypter.CheckPassword(clientProvidedPassword, storedHash)` as CryptSharp stores the salt with the password. You should use the original one, though: https://www.zer7.com/software/cryptsharp – ahwm Apr 18 '18 at 19:32