C# Hashing algorithm class | Asp.Net | .Net Core

ByShehryar Khan June 11, 2018June 27, 2018

In this article, we’ll learn how to secure your password using already implemented C# hashing algorithm class and the importance of password hashing.

Users data is the most important thing in any application so it’s a developer responsibility to keep users data in the most secure way using best practices. When we talk about user account security, first thing comes in our mind is account password.

In any application, when a user creates his account the must have to enter a password. Account password with other account credentials always save in the database so if someone gains unauthorized access to the database then he can also see passwords for all accounts of that system.

Password Hashing

Password Hashing performs a one-way transformation on password, changing the password into another String, called the hashed password. “One-way” means that it is not possible to turn the hashed password back into the original password using the sample algorithm in reverse order.

For Password Hashing, there are several built-in algorithms in all languages(C# also provides e.g. MD5) but for a more secure password, hashing algorithm must be a combination of some built-in algorithms.

I’m going to share a password hashing class for Asp.Net Code. Using this class you can easily Hash a password in a secure string before saving it into a database and also match password with hashed string with a function.

So here’s the Code

using System;
using System.Security.Cryptography;

namespace MyProject.Helpers
{
    public sealed class SecurePasswordHasherHelper
    {
        /// <summary>
        /// Size of salt
        /// </summary>
        private const int SaltSize = 16;

        /// <summary>
        /// Size of hash
        /// </summary>
        private const int HashSize = 20;

        /// <summary>
        /// Creates a hash from a password
        /// </summary>
        /// <param name="password">the password</param>
        /// <param name="iterations">number of iterations</param>
        /// <returns>the hash</returns>
        public static string Hash(string password, int iterations)
        {
            //create salt
            byte[] salt;
            new RNGCryptoServiceProvider().GetBytes(salt = new byte[SaltSize]);

            //create hash
            var pbkdf2 = new Rfc2898DeriveBytes(password, salt, iterations);
            var hash = pbkdf2.GetBytes(HashSize);

            //combine salt and hash
            var hashBytes = new byte[SaltSize + HashSize];
            Array.Copy(salt, 0, hashBytes, 0, SaltSize);
            Array.Copy(hash, 0, hashBytes, SaltSize, HashSize);

            //convert to base64
            var base64Hash = Convert.ToBase64String(hashBytes);

            //format hash with extra information
            return string.Format("$MYHASH$V1${0}${1}", iterations, base64Hash);
        }
        /// <summary>
        /// Creates a hash from a password with 10000 iterations
        /// </summary>
        /// <param name="password">the password</param>
        /// <returns>the hash</returns>
        public static string Hash(string password)
        {
            return Hash(password, 10000);
        }

        /// <summary>
        /// Check if hash is supported
        /// </summary>
        /// <param name="hashString">the hash</param>
        /// <returns>is supported?</returns>
        public static bool IsHashSupported(string hashString)
        {
            return hashString.Contains("$MYHASH$V1$");
        }

        /// <summary>
        /// verify a password against a hash
        /// </summary>
        /// <param name="password">the password</param>
        /// <param name="hashedPassword">the hash</param>
        /// <returns>could be verified?</returns>
        public static bool Verify(string password, string hashedPassword)
        {
            //check hash
            if (!IsHashSupported(hashedPassword))
            {
                throw new NotSupportedException("The hashtype is not supported");
            }

            //extract iteration and Base64 string
            var splittedHashString = hashedPassword.Replace("$MYHASH$V1$", "").Split('$');
            var iterations = int.Parse(splittedHashString[0]);
            var base64Hash = splittedHashString[1];

            //get hashbytes
            var hashBytes = Convert.FromBase64String(base64Hash);

            //get salt
            var salt = new byte[SaltSize];
            Array.Copy(hashBytes, 0, salt, 0, SaltSize);

            //create hash with given salt
            var pbkdf2 = new Rfc2898DeriveBytes(password, salt, iterations);
            byte[] hash = pbkdf2.GetBytes(HashSize);

            //get result
            for (var i = 0; i < HashSize; i++)
            {
                if (hashBytes[i + SaltSize] != hash[i])
                {
                    return false;
                }
            }
            return true;
        }
    }

}

Add this class to your project and use it like this:

string hashed_password = SecurePasswordHasherHelper.Hash("12345");

12345 equivalent hashed string is $MYHASH$V1$10000$PMCjQg77vX6piW11bo8XKwM2dKjwMk8qOWVj25sMEonKoN2e

Every time when you’ll hash 12345, you’ll get a different string

You can Validate password in this way

if (SecurePasswordHasher.Verify("12345",hashed_password))
{
     return "Password is Valid";
}

Shehryar Khan

I'm passionate about learning new technologies as well as mentoring and helping others get started with their programming career. This blog is my way of giving back to the Community.

Load Data from Database to TreeView Asp.Net – Bootstrap Treeview

ByShehryar Khan August 31, 2018October 14, 2018

Loading Data from Database to TreeView is difficult as compared to Loading Data into a Table. Let me explain first that why and in what case developers find it difficult. Above all, we need to understand the structure of the Database table from where we want to load data to a TreeView. Actually, TreeView is…

.Net | .Net Core | C# | TCP

Multi-threaded TCP Server using Dotnet Core Example | C#

ByShehryar Khan June 3, 2019June 3, 2019

Many times during my job as a developer I have assigned a task to Develop a Multi-threaded TCP server for handling multiple Clients. Once I developed a TCP server for Vehicle Tracker Devices & I have also developed a TCP Server for handling multiple Smart Meters. Every time TCP Server developed using .Net Core was…

Why I’m in Love with .Net Core – Future of .Net Core 2019

ByShehryar Khan January 6, 2019May 16, 2019

If you ask “what is the best” type of questions, you will end up with biased answers, usually. Everyone will tell you his own preference. Although you have listened to this famous Quote “Love is blind” & no one believes to defend his love with arguments & solid pieces of evidence, but In this Article,…

.Net | .Net Core | Admin Panel Tutorial | ASP.NET | C#

Dynamic Role Based Authorization Asp.net Core | Assign Role from DB

ByShehryar Khan November 24, 2018September 25, 2019

Often times, after you’ve authenticated your user, now you want to authorize what he actually has control over based on his role. A user should only have access for what he’s authorized to control. In Applications like Admin Panel where your Application is being managed by multiple users, you must manage your users according to…

CRUD Operations in Asp.net Core MVC

ByShehryar Khan November 10, 2018September 25, 2019

Yes, I’d say a large percentage of most applications I’ve worked on is basic CRUD(Create, Read, Update, Delete) operations. Especially In an Admin Panel, you need to repeat the CRUD Operations for every object in your system. For creating beautiful & responsive UI, I’m using AdminLTE Template. So, In case if you missed Setting up AdminLTE in Asp.net…

.Net | .Net Core | Admin Panel Tutorial | C#

Setting up Admin Template in Asp.net Core MVC

ByShehryar Khan October 30, 2018September 25, 2019

In this part of the tutorial, we’re going to Setup AdminLTE Template in an Empty Asp.net Core MVC Project. This is the 3rd Part of Admin Panel Tutorial Series. Choosing Template for Admin Panel Creating a Database Setup AdminLTE Template in Asp.net Core MVC project Creating Models Login Page for Admin Panel CRUD(Create, Read, Update, Delete) Operations Creating…

5 Comments

Dm says:

March 24, 2020 at 12:00 am

DB Load Hash password How to Match User Enter Password ????
Emine says:

June 21, 2019 at 7:37 am

I mean that , when i make my register with clear string password like “MyPassword123” i send in db and hashing password and look like this “MYHASHPASS54dc4sd54cssd4sfcc s4s4sd1s 2sx54dscs5sd” , when i go to login , i use “MyPassword123” ….
1. Shehryar Khan says:
  
  June 22, 2019 at 6:36 pm
  
  To verify your password, you need to give the password instead of 12345 & hashed password(from DB) at the place of hashed_password in the below Code.
  SecurePasswordHasher.Verify("12345",hashed_password)
Emine says:

June 19, 2019 at 11:28 am

Hi , i was use your code source for hashing password , but when i try to login , can not do this operations, how to load the password from db ?
1. Shehryar Khan says:
  
  June 21, 2019 at 7:24 am
  
  You must load Hashed password from DB.

Comments are closed.

Password Hashing

Similar Posts

5 Comments