tags:

views:

35

answers:

1
Q: 

comparing salt and hashed passwords during login doesn't seem work right....

I stored salt and hash values of password during user registration... But during their login i then salt and hash the password given by the user, what happens is a new salt and a new hash is generated.... 

string password = collection["Password"];
reg.PasswordSalt = CreateSalt(6);
reg.PasswordHash = CreatePasswordHash(password, reg.PasswordSalt);

These statements are in both registration and login....

salt and hash during registration was eVSJE84W and 18DE22FED8C378DB7716B0E4B6C0BA54167315A2

During login it was 4YDIeARH and 12E3C1F4F4CFE04EA973D7C65A09A78E2D80AAC7..... Any suggestion....

    public static string CreateSalt(int size)
    {
        //Generate a cryptographic random number.
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        byte[] buff = new byte[size];
        rng.GetBytes(buff);

        // Return a Base64 string representation of the random number.
        return Convert.ToBase64String(buff);
    }

    public static string CreatePasswordHash(string pwd, string salt)
    {
        string saltAndPwd = String.Concat(pwd, salt);
        string hashedPwd =
         FormsAuthentication.HashPasswordForStoringInConfigFile(
         saltAndPwd, "sha1");

        return hashedPwd;
    }
+3  A: 

Right now you are generating a different salt upon registration and login. You need to use the same salt for hashing or you will get different hashes. That is to say you need store the salt into the database along with the password and reuse it to hash when the user tries to login later.

Steps:

  1. User registers and provides a plain text password
  2. You generate a new random salt and use it to hash the plain text
  3. You store the salt and the hash into the database
  4. Later the user tries to login by providing a new plain text password. You fetch the hash and the salt from database
  5. You use the salt to hash the plain text
  6. Compare the two hashes
Darin Dimitrov  2010-05-19 06:38:29
@Darin as of now i am storing `PasswordSalt` and `PasswordHash` in my table.... should i remove `PasswordHash` field from my table?
Pandiya Chendur  2010-05-19 06:42:15
Not at all, you need both.
Darin Dimitrov  2010-05-19 06:44:14
No, you still need both in the table... but you need to actually *use* them both as well later on, not just the hash. Use the salt, apply it during the hashing process to the password supplied by the user, and then compare that to the stored hash. Don't generate a salt for each login, only for registration.
Amber  2010-05-19 06:44:34
Pandiya Chendur  2010-05-19 06:47:00
@Darin How to handle this procedure during forget password?
Pandiya Chendur  2010-05-19 07:15:33
That basically it it. You need to store sald and hash, then use the same salt on the new user input to generate a hash. Same password, same salt = same hash. Salt is only generated when the user changes a pasword and stored in the database.
TomTom  2010-05-19 07:15:34
Forgot password? SImple - generate new (random) password (and new has). Send new password to user. Most websites work like that.
TomTom  2010-05-19 07:29:09
You might also want to structure this so that the hashed value is never read back, which makes it harder for it to be leaked by a programming error. All you'd need to do is retrieve the salt, generate a hash, and then pass it to the database, which will do the comparison for you (in a stored proc).
Steven Sudit  2010-07-30 14:17:22

related questions

What is a javascript hash table implementation that avoids object namespace collisions?
Best way to prevent duplicate use of credit cards
Why is '397' used for ReSharper GetHashCode override?
How does c# figure out the hash code for an object?
What's the best hashing algorithm to use on a stl string when using hash_map?
Is there any way to use a "constant" as hash key in Perl?
Unique ID c++
Detect changes in random ordered input (hash function?)
How do I hash a string with Delphi?
Can I depend on the values of GetHashCode() to be consistent?
How to get hashes out of arrays in Perl?
Search by hash?
Given that I have a hash of id(key) and countries(values) sorted alphabetically, what is the best way to bubble up an entry to the top of the stack?
Saving Perl Windows Environment Keys UPCASES them
What is a good Hash Function?
How do I create a SHA1 hash in ruby?
How Do I Create a Hash Table in Java?
How would you implement a hashtable in language x?
why are downloads sometimes tagged md5, sha1 and other hash indicators?
How to find keys of a hash?
How do I generate a hashcode from a byte array in c#
How would a sdbm hash function be implemented in C#?
What is the best way to create a sparse array in C++
What's the safest way to iterate through the keys of a Perl hash?
Decode email address from Gravatar hash?