comparing salt and hashed passwords during login doesn't seem work right....
Posted
by Pandiya Chendur
on Stack Overflow
See other posts from Stack Overflow
or by Pandiya Chendur
Published on 2010-05-19T06:35:26Z
Indexed on
2010/05/19
6:40 UTC
Read the original article
Hit count: 290
I stored salt and hash values of password during user registration... But during their login i then salt and hash the password given by the user, what happens is a new salt and a new hash is generated....
string password = collection["Password"];
reg.PasswordSalt = CreateSalt(6);
reg.PasswordHash = CreatePasswordHash(password, reg.PasswordSalt);
These statements are in both registration and login....
salt and hash during registration was eVSJE84W
and 18DE22FED8C378DB7716B0E4B6C0BA54167315A2
During login it was 4YDIeARH
and 12E3C1F4F4CFE04EA973D7C65A09A78E2D80AAC7
..... Any suggestion....
public static string CreateSalt(int size)
{
//Generate a cryptographic random number.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number.
return Convert.ToBase64String(buff);
}
public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "sha1");
return hashedPwd;
}
© Stack Overflow or respective owner