Hi friends!

how do we do validation of a hashed password (with salt )????

Please suggest

Thanks

Well here is the general idea:

Without hashing: you would save the clear text password of the user in the database (say = letmein) and then when you want to authenticate him

you ask him for the password and you compare it with the password you have in your database. (input password ?= password in database) simple.

But this is an extremely bad practise, if for some reason someone gets a hold of your database you have clear passwords for all your end users (clients) which would not only put the accounts on your website in risk however it will put their other accounts (mainly the accounts of their emails) in risk too! because a lot of people use the same password accross many sites... It is a good security practise to use at least two passwords, one for all the websites and one for emails.

If your application is aiming to be more professional when it comes to passwords then this is what you do.

When the user initially enters his password, do not save it in the database as is, hash it using (MD5 or SHA1 or SHA256, I prefer to use SHA, which is stronger than MD5) and save it in your database

so his password letmein hashed will become say: E53411 (hexadecimal)

Next time he wants to gain access to the application, take his input, hash it and compare the hashed input and the value in your database which is hashed already, if both hashed ones equal each other then give him access. Later one if he forgets his password you will have to reset it instead of email it to him! (which is very bad also)

Moroever when I want to hash the password he puts in, I combine it with his username and hash that instead of just the password (simple concatination of the username and password would do). This way, if someone was able to gain access to your database, and wants to gain access to another account, he can not just copy his hashed password from his account's record to another account's record and expect to gain access to that other account with the password he knows from his own account, this is because the hash will depend on the username too (or the email for that purpose)

Hope this helps.

I have some small code snippets for these in C# if you want. Let me know.

Please i need the code!!!!

Please givem the code

Thanks in advance!

Hi,

Are you working with membership provider ? if yes , you just need to use Membership.ValidateUser(user,Password)

where password in the clear text , this method will automaticly hash the password that is passed to it and compare it with the current hashed value which is stored in teh database ,

if the hashed value equals the one in the database, the passed password will be correct .

Note: 

Since the Hashing is a One way algorithm, you can't get the hashed password.

and so if you want to compare a clear text password with the hashed one, you need to hash the clear text password and compare the 2 hashes , if the equal then the passwords are equals ..

        // this is the main function that you want to use
        public static string SHA256OneWayEncryptionToBase64String(string password, string username)
        {
            return Convert.ToBase64String(SHA256OneWayEncryption(password, username));
        }

        public static byte[] SHA256OneWayEncryption(string password, string username)
        {
            string input = String.Format("{0}{1}", password, username);
            System.Security.Cryptography.SHA256Managed hash =
                new System.Security.Cryptography.SHA256Managed();
            return hash.ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(input));
        }

why do w e use static key word before return type?

static is a way to use functions of a class without creating an instance. When you do not need an instance this is more convenient.

Instead of doing this

ExampleClass var = new ExampleClass()l

var.ExampleMethod();

You do this:

ExampleClass.ExampleMethod();

Since you do not have an instance of the object you do not have "this".

Hope this helps.