DEV Community

Cover image for Hashing Password combining with Salt in C# and VB.NET
1001binary
1001binary

Posted on

Hashing Password combining with Salt in C# and VB.NET

In this post, I show you how to protect password using hash-salt mechanism.

Hashing password using salt is one of the best practices in protecting user accounts from hackers and who you don't want anyone to see plain-text passwords in databases or text files. This is really great. In case hackers have stolen databases, they also need more time to decryte them. It won't be easy at all. At the same time, you have time to reset all passwords or suggest users to change passwords right away.

My background is .NET developer. That's why I have written two simple functions in C# and VB.NET as below.

C#

public class SecurityHelper
{
    public static string GenerateSalt(int nSalt)
    {
        var saltBytes = new byte[nSalt];

        using (var provider = new RNGCryptoServiceProvider())
        {
            provider.GetNonZeroBytes(saltBytes);
        }

        return Convert.ToBase64String(saltBytes);
    }

    public static string HashPassword(string password, string salt, int nIterations, int nHash)
    {
        var saltBytes = Convert.FromBase64String(salt);

        using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, nIterations))
        {
            return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash));
        }
    }
}
Enter fullscreen mode Exit fullscreen mode

VB.NET

Public Class SecurityHelper
    Public Shared Function GenerateSalt(ByVal nSalt As Integer) As String
        Dim saltBytes = New Byte(nSalt) {}

        Using provider = New RNGCryptoServiceProvider()
            provider.GetNonZeroBytes(saltBytes)
        End Using

        Return Convert.ToBase64String(saltBytes)
    End Function

    Public Shared Function HashPassword(ByVal password As String, ByVal salt As String, ByVal nIterations As Integer, ByVal nHash As Integer) As String
        Dim saltBytes = Convert.FromBase64String(salt)

        Using rfc2898DeriveBytes = New Rfc2898DeriveBytes(password, saltBytes, nIterations)
            Return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash))
        End Using
    End Function
End Class
Enter fullscreen mode Exit fullscreen mode

For example:

string pwd = "123Abc#@";
string salt = SecurityHelper.GenerateSalt(70);
string pwdHashed = SecurityHelper.HashPassword(pwd, salt, 10101, 70);
Console.WriteLine(pwdHashed);
Console.WriteLine(salt);
Enter fullscreen mode Exit fullscreen mode

Hope you enjoy this post.

Happy coding :)

Top comments (4)

Collapse
 
mganda profile image
Mganda

From what you have, this is how you would verify password:

public static bool verifypassword(string password, string hashed_password, string salt)
        {
            string new_hashed = HashPassword(password, salt, 1000);
            return new_hashed.Equals(hashed_password);
        }
Enter fullscreen mode Exit fullscreen mode
Collapse
 
krammig profile image
Krammig

I guess the question by @parajdox was - How to verify the user against the Hashed password

Collapse
 
parajdox profile image
John Dave Dalmao

how do we decrypt this?

Collapse
 
juliancollinson profile image
juliancollinson • Edited

The main point of any hash algorithm is that it works only one way.
Decrypt should be impossible after the hash operation is done.
Generally this works perfect for passwords because there is no need to decrypt the hashed password, you just need to hash the password inserted in the login form and compare it with the hash saved in the db