Detailed explanation of how to execute hash and salt operations on passwords

Source: Internet
Author: User

The hash and Salt operations on passwords are not unfamiliar. The two Visual Studio Enterprise Edition examples use this method to encrypt this method. Combined with the sample code, I summarized a class that includes static methods such as encryption and comparison of passwords.
Instructions for use: Use the HashAndSalt method to encrypt the password and store it in the database. When a user logs on, use the ComparePasswords method to compare the password entered by the user with the password stored in the database during user registration, and determine whether the password entered by the user is correct.

 

Credentials. cs

Using System;
Using System. IO;
Using System. Text;
Using System. Security. Cryptography;
 
Namespace BookStore. Common
{
/// <Summary>
/// Summary of Credentials.
/// Principle:
/// Hash the password
/// To avoid storing passwords in plain text, a common security method is to hash the passwords. As shown in the following code, hash the password using the System. Security. Cryptography namespace (which implements the 160-bit SHA-1 standard. For more information, see SHA1 members.
/// Perform the Salt operation on the hash
/// Although it is a good start to execute hash operations on passwords, to increase security against potential attacks, You can execute Salt operations on Hash operations on passwords. Salt is a random number inserted in the password that has executed the hash operation. This policy helps prevent potential attackers from exploiting pre-computed dictionary attacks. Dictionary attacks are attacks that allow attackers to use all possible combinations of keys to crack passwords. When you use the Salt value to further randomize the hash operation, attackers will need to create a dictionary for each Salt value, which will make the attack very complex and costly.
/// The Salt value is stored together with the hash and is not encrypted. The stored Salt value can be used for password verification later.
/// </Summary>
Public class Credentials
{
Private static string key = "! 48% 0d-F = cj>, s & 2 "; // key (increase password complexity, it seems redundant)
Private const int saltLength = 4; // defines the length of the salt value
 
/// <Summary>
/// Hash and Salt the password
/// </Summary>
/// <Param name = "Password"> Password entered by the user </param>
/// <Returns> </returns>
Public static byte [] HashAndSalt (string Password)
{
Return CreateDbPassword (HashPassword (Password ));
}
 
/// <Summary>
/// Add the key to the password entered by the user and then hash the SHA1
/// </Summary>
/// <Param name = "Password"> Password entered by the user </param>
/// <Returns> returns the byte [] (20 bytes for 160 bits) after the 160-bit SHA-1 hash. </returns>
Private static byte [] HashPassword (string Password)
{
// Create SHA1's object instance sha1
SHA1 sha1 = SHA1.Create ();
// Calculate the hash value of input data
Return sha1.ComputeHash (Encoding. Unicode. GetBytes (Password + key ));
}

/// <Summary>
/// Compare whether the password in the database is the same as the password entered
/// </Summary>
/// <Param name = "storedPassword"> password in the database </param>
/// <Param name = "Password"> Password entered by the user </param>
/// <Returns> true: equal/false: unequal </returns>
Public static bool ComparePasswords (byte [] storedPassword, string Password)
{
// Hash the password entered by the user
Byte [] hashedPassword = HashPassword (Password );
 
If (storedPassword = null | hashedPassword. Length! = StoredPassword. Length-saltLength)
{
Return false;
}
 
// Obtain the salt value of the password in the database. The last four bytes of the password in the database are the salt value.
Byte [] saltValue = new byte [saltLength];
Int saltOffset = storedPassword. Length-saltLength;
For (int I = 0; I <saltLength; I ++ ){
& N

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.