Salted Password Hashing. Am I doing it right in ASP.NET environment?

704 views Asked by At

I am developing a website by using ASP.NET. I want to implement login authentication for my users. I am using SALT HASH method to securely save users' passwords to the DB. By looking at various codes I wrote a code like below to generate the SALT and the Hashed passwords to store in Database.

    private string hashedPassword;
    private string Salt;
    private string SaltPlusPassword;
    private const byte saltSize = 24;
    byte[] saltArray;
    byte[] hashedPasswordArray;
    byte[] bytes;

   public void Save_Login(string passWord)
    {
        using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
        {
            saltArray = new byte[saltSize];
            rng.GetBytes(saltArray);
        }
        Salt = Convert.ToBase64String(saltArray);
        SaltPlusPassword = String.Format("{0}{1}", Salt, passWord);
        using (SHA256 sha = SHA256.Create())
        {
            bytes = Encoding.UTF8.GetBytes(SaltPlusPassword);
            hashedPasswordArray = sha.ComputeHash(bytes);
        }


        hashedPassword = Convert.ToBase64String(hashedPasswordArray);
    }

//Salt will be save to DB

//hashedPassword will be save to DB.

So I have few questions.

1) I read in an article that saying "make your salt is at least as long as the hash function's output" ok. What are the sizes for saltArray, hashedPasswordArray and bytes arrays which are declared in my code? I used saltArray size as 24. Is it ok?

2) What will happen if I use ?

bytes = Encoding.Unicode.GetBytes(SaltPlusPassword);

instead of

bytes = Encoding.UTF8.GetBytes(SaltPlusPassword);

3) What is the datatype should I use to store salt and the hashed password in the DB? ( My db is MYSQL )

4) Is there any performance difference if I use SHA256Managed instead of SHA256? Which is best?

5) Finally am I doing this in the right way? What are the weaknesses in above code? What are your suggestions?

1

There are 1 answers

2
sonofaforester On

Rather than deal with all these issues, why not use the built in identity management tools provided by ASP.NET. See here

http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity

Much more common and robust.