DEV Community: Saidur Rahman Akash

Hashing and Salting Passwords in C#

Saidur Rahman Akash — Mon, 11 Aug 2025 05:03:03 +0000

In the realm of cybersecurity, protecting user passwords is paramount to safeguarding sensitive information. Hashing and salting are fundamental techniques employed to enhance the security of stored passwords. In C#, developers can utilize these practices to fortify their authentication systems against unauthorized access and data breaches.

Hashing Passwords: A One-Way Journey

When a user creates an account or updates their password, hashing comes into play. Hashing is a process of transforming a plaintext password into an irreversible, fixed-length string of characters. In C#, developers often use cryptographic hash functions like SHA-256 or bcrypt for this purpose. The resulting hash is unique to each password, making it infeasible for attackers to reverse the process and retrieve the original password.

static string HashPassword(string password, byte[] salt)
        {
            using (var sha256 = new SHA256Managed())
            {
                byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
                byte[] saltedPassword = new byte[passwordBytes.Length + salt.Length];

                // Concatenate password and salt
                Buffer.BlockCopy(passwordBytes, 0, saltedPassword, 0, passwordBytes.Length);
                Buffer.BlockCopy(salt, 0, saltedPassword, passwordBytes.Length, salt.Length);

                // Hash the concatenated password and salt
                byte[] hashedBytes = sha256.ComputeHash(saltedPassword);

                // Concatenate the salt and hashed password for storage
                byte[] hashedPasswordWithSalt = new byte[hashedBytes.Length + salt.Length];
                Buffer.BlockCopy(salt, 0, hashedPasswordWithSalt, 0, salt.Length);
                Buffer.BlockCopy(hashedBytes, 0, hashedPasswordWithSalt, salt.Length, hashedBytes.Length);

                return Convert.ToBase64String(hashedPasswordWithSalt);
            }
        }

Salting: Adding a Dash of Complexity
Hashing alone, while effective, can be vulnerable to attacks like rainbow table attacks. This is where salting comes in. A salt is a random value unique to each user. It is combined with the password before hashing, introducing an additional layer of complexity. Even if two users have the same password, their hashes will differ due to the unique salts

static byte[] GenerateSalt()
        {
            using (var rng = new RNGCryptoServiceProvider())
            {
                byte[] salt = new byte[16]; // Adjust the size based on your security requirements
                rng.GetBytes(salt);
                return salt;
            }
        }

Storing in C#: Database Integration
In C#, the resulting hashed password and the salt can be stored in a database. Retrieving and verifying passwords during login involves fetching the salt, combining it with the entered password, hashing the result, and comparing it with the stored hash.

public class UserDTO
    {
        public string UserName { get; set; }
        public string MobileNo { get; set; }
        public string Password { get; set; }
        public string ConfirmPassword { get; set; }
    }

public interface IHashingPassword
    {
        public Task<string> CreateUser(UserDTO create);
        public Task<string> UserVerify(UserDTO verify);
    }

public class HashingPassword : IHashingPassword
{
   private readonly DbContextCom _dbContext;
   public HashingPassword(DbContextCom dbContext)
        {
            _dbContext = dbContext;
        }

   public async Task<string> CreateUser(UserDTO create)
        {
            string password = create.ConfirmPassword;

            byte[] saltBytes = GenerateSalt();
            // Hash the password with the salt
            string hashedPassword = HashPassword(password, saltBytes);
            string base64Salt = Convert.ToBase64String(saltBytes);

            byte[] retrievedSaltBytes = Convert.FromBase64String(base64Salt);

            var user = new Models.Usertest
            {
                ConfirmPassword = hashedPassword,
                Email = "",
                IsActive = true,
                LastActiondatetime = DateTime.Now,
                Mobile = create.MobileNo,
                Password = base64Salt,
                UserName = create.UserName,
                Salt = retrievedSaltBytes
            };
            _dbContext.Usertests.AddAsync(user);
            await _dbContext.SaveChangesAsync();

            return "User added successfully";
        }

        public async Task<string> UserVerify(UserDTO verify)
        {

            // In a real scenario, you would retrieve these values from your database
            var user = _dbContext.Usertests.Where(x => x.Mobile == verify.MobileNo).Select(x => x).FirstOrDefault();

            string storedHashedPassword = user.ConfirmPassword;// "hashed_password_from_database";
            //string storedSalt = user.Salt; //"salt_from_database";
            byte[] storedSaltBytes = user.Salt;
            string enteredPassword = verify.ConfirmPassword; //"user_entered_password";

            // Convert the stored salt and entered password to byte arrays
            // byte[] storedSaltBytes = Convert.FromBase64String(user.Salt);
            byte[] enteredPasswordBytes = Encoding.UTF8.GetBytes(enteredPassword);

            // Concatenate entered password and stored salt
            byte[] saltedPassword = new byte[enteredPasswordBytes.Length + storedSaltBytes.Length];
            Buffer.BlockCopy(enteredPasswordBytes, 0, saltedPassword, 0, enteredPasswordBytes.Length);
            Buffer.BlockCopy(storedSaltBytes, 0, saltedPassword, enteredPasswordBytes.Length, storedSaltBytes.Length);

            // Hash the concatenated value
            string enteredPasswordHash = HashPassword(enteredPassword, storedSaltBytes);

            // Compare the entered password hash with the stored hash
            if (enteredPasswordHash == storedHashedPassword)
            {
                return "Password is correct.";
            }
            else
            {
                return "Password is incorrect.";
            }
        }
}

Conclusion: Bolstering Security
Hashing and salting passwords in C# are essential practices for building robust and secure authentication systems. By incorporating these techniques, developers can significantly mitigate the risk of unauthorized access, ensuring the confidentiality of user credentials in the ever-evolving landscape of cybersecurity.

dotnet beginner guidelines

Saidur Rahman Akash — Sun, 07 Jul 2024 08:55:52 +0000

1/ Object-Oriented Programming (OOP) is an essential paradigm for every programmer. It empowers developers with a powerful set of tools and concepts to design and build software systems efficiently. Without OOP, it's like being a soldier without a gun - missing out on a fundamental approach that enhances code organization, reusability, and maintainability.

2/ Structure with C# (Need a basic understanding of data structure)

3/ Algorithms with C# (Need basic understanding)

https://www.w3resource.com/csharp-exercises/basic-algo/index.php

4/ C# Basic topics (for more understanding please google it.)

5/ C# Basic to advance topics (not necessary as a beginner if you know this thing that’s a plus)

6/ C# in Details (if you want to know more about C# then google it because it's free.)

https://www.youtube.com/playlist?list=PLUOequmGnXxPjam--7GAls6Tb1fSmL9mL

7/ Basic SQL Query (SQL (Structured Query Language) plays a crucial role when working with C# and databases.

You can practice SQL problems in HackerRank - https://www.hackerrank.com/domains/sql

8/ MVC framework with C#

9/ LINQ (Language-Integrated Query) This is also a must-know topic for those who want to work with dotnet.

You can find some awesome projects to understand more about MVC with C#
https://github.com/SR-Akash/TMS-Transport-Management-System
https://github.com/SR-Akash/Coaching_Management
https://github.com/SR-Akash/School-Account-Management

10/ Understanding Rest API - Understanding REST API is crucial for developing web applications using ASP.NET Core. REST is an architectural style that defines a set of principles and constraints for building scalable, reliable, and loosely coupled web services.

_বেশ কয়েক বছর সফটওয়্যার ইন্ডাস্ট্রিতে কাজ করার ফলে আমাকে অনেকেই বিভিন্ন সময় প্রশ্ন করে থাকেন যে একজন ফ্রেশ গ্রাজুয়েট বা একজন ১১/১২ সেমিস্টারের স্টুডেন্ট হিসাবে কিভাবে সফটওয়্যার কোম্পানিতে ইন্ট্রানশীপ পেতে পারেন। আমি যেহেতু Backend এ dotnet নিয়ে কাজ করি সুতরাং আমার এক্সপেরিয়েন্স থেকে বিগিনারদের জন্য dotnet এর উপর একটা গাইডলাইন শেয়ার করার চেষ্টা করলাম। এইখানে সেই সব টপিকগুলো দেওয়া আছে যে গুলো একজন ইন্ট্রান এর থেকে একটা সফটওয়্যার কোম্পানি এক্সপেক্ট করে..
Note: কোম্পানি টু কোম্পানি ভ্যারি করতে পারে. _