Password hashing using HMACSHA512 in asp.net application

\r\n\r\n public class UserForRegisterDTO\r\n\t{\r\n\t\t[Required]\r\n\t\tpublic string Username { get; set; }\r\n\t\tpublic string Password { get; set; }\r\n\t\tpublic int @id { get; set; }\r\n\t\tpublic byte[] PasswordHash { get; set; }\r\n\t\tpublic byte[] PasswordSalt { get; set; }\r\n\t}\r\n

\r\n\r\n [AllowAnonymous]\r\n public ActionResult Register()\r\n {\r\n return View();\r\n }\r\n\r\n [HttpPost]\r\n [AllowAnonymous]\r\n [Val@idateAntiForgeryToken]\r\n public ActionResult Register(UserForRegisterDTO model)\r\n {\r\n User user = new User();\r\n byte[] passwordHash, passwordSalt;\r\n CreatePasswordHash(model.Password,out passwordHash,out passwordSalt);\r\n user.passwordsalt = passwordSalt;\r\n user.passwordhash = passwordHash;\r\n user.username = model.Username;\r\n db.SaveChanges();\r\n return View(model);\r\n }\r\n\r\n [NonAction]\r\n private vo@id CreatePasswordHash(string password, out byte[] passwordHash, out byte[] passwordSalt)\r\n {\r\n using (var hmac = new System.Security.Cryptography.HMACSHA512())\r\n {\r\n passwordSalt = hmac.Key;\r\n passwordHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));\r\n }\r\n }\r\n\r\n

\r\n @{\r\n ViewBag.Title = \"Register\";\r\n }\r\n <div class=\"row\">\r\n <div class=\"col-lg-4\" >\r\n <h3>Register</h3>\r\n <form role=\"form\" action=\"/account/register\" method=\"post\">\r\n @Html.AntiForgeryToken()\r\n <div class=\"form-group\">\r\n <input @type=\"text\" class=\"form-control\" placeholder=\"Username\" name=\"Username\" required=\"\">\r\n </div>\r\n \r\n <div class=\"form-group\">\r\n <input @type=\"password\" class=\"form-control\" placeholder=\"Password\" name=\"Password\" required=\"\">\r\n </div>\r\n <button @type=\"submit\" class=\"btn btn-primary block full-w@idth m-b\">Register</button>\r\n </form>\r\n </div> \r\n</div>\r\n

\r\n public ActionResult Login(UserForLoginDTO user)\r\n {\r\n var data = db.User.FirstOrDefault(x =>x.username == user.UserName);\r\n if(data == null)\r\n {\r\n return View(user);\r\n }\r\n\r\n if (!VerifyPasswordHash(user.Password, data.passwordhash, data.passwordsalt))\r\n return View(user);\r\n else {\r\n return Redirect(\"/home\")\r\n }\r\n }\r\n\r\n\r\n [NonAction]\r\n private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)\r\n {\r\n using(var hmac = new System.Security.Cryptography.HMACSHA512(passwordSalt))\r\n {\r\n var computedHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));\r\n\r\n for (int i = 0; i < computedHash.Length; i++)\r\n {\r\n if (computedHash[i] != passwordHash[i]) return false;\r\n }\r\n return true;\r\n }\r\n }\r\n\r\n

\r\n @{\r\n ViewBag.Title = \"Login\";\r\n }\r\n\r\n\r\n\t<div>\r\n\r\n <div><h2>Simple Login Form</h2></div>\r\n\r\n <form method=\"post\" action=\"/Account/Login\">\r\n\t\t\t@Html.AntiForgeryToken()\r\n <div style=\"padding-left:8px;padding-right:8px\">\r\n <div class=\"form-group\">\r\n <input @type=\"text\" class=\"form-control\" placeholder=\"Username\" name=\"UserName\" required=\"\">\r\n </div>\r\n\t\t<div class=\"form-group\">\r\n <input @type=\"password\" class=\"form-control\" placeholder=\"Password\" name=\"Password\" required=\"\">\r\n\t\t</div>\r\n <button @type=\"submit\" class=\"btn btn-primary\">Login</button>\r\n </div>\r\n\t</form>\r\n</div> \r\n

Password hashing using HMACSHA512 in asp.net application

👤 Diwas Poudel 🕒 08 Jul 2019 📁 TECH

Storing password in plain text in a database is very dangerous because anyone who looked through the database would be able to just read the passwords and if your password may be compromised so your application can be at risk. So, it is better to hash the password and store hashed form password in a database so that if your hashed password is compromised, then they don't expose your password. So, a password is a critical part of any web application.

Prevention is better than cure, so the correct precautions are better before your data become exposed. So, we the developer is responsible to take the right precautions!

So, without wasting time, lets the use of the best approach for storing password :

Hashing

Hashing a password is the best approach of storing password. Hashing is the practice of using an algorithm to map data of any size to a fixed length. There are many hashing functions like Hash functions like SHA256, SHA512, RipeMD, and whirlpool, HMAC256, HMAC512 etc.

Implementation

Let’s take a common hashing algorithm SHA-512 and apply HMAC in C#.

1)Create Model as : UserForRegisterDTO.cs


  public class UserForRegisterDTO
	{
		[Required]
		public string Username { get; set; }
		public string Password { get; set; }
		public int id { get; set; }
		public byte[] PasswordHash { get; set; }
		public byte[] PasswordSalt { get; set; }
	}

2) Creating Register Action inside AccountController


  [AllowAnonymous]
  public ActionResult Register()
  {
    return View();
  }

  [HttpPost]
  [AllowAnonymous]
  [ValidateAntiForgeryToken]
  public ActionResult Register(UserForRegisterDTO model)
  {
      User user = new User();
      byte[] passwordHash, passwordSalt;
      CreatePasswordHash(model.Password,out passwordHash,out passwordSalt);
      user.passwordsalt = passwordSalt;
      user.passwordhash = passwordHash;
      user.username = model.Username;
      db.SaveChanges();
      return View(model);
  }

  [NonAction]
  private void CreatePasswordHash(string password, out byte[] passwordHash, out byte[] passwordSalt)
  {
      using (var hmac = new System.Security.Cryptography.HMACSHA512())
      {
        passwordSalt = hmac.Key;
        passwordHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));
      }
  }

3)View of Register Action : register.cshtml

  @{
    ViewBag.Title = "Register";
  }
  <div class="row">
  <div class="col-lg-4" >
    <h3>Register</h3>
      <form role="form" action="/account/register" method="post">
        @Html.AntiForgeryToken()
          <div class="form-group">
           <input type="text" class="form-control" placeholder="Username" name="Username" required="">
          </div>
  
        <div class="form-group">
          <input type="password" class="form-control" placeholder="Password" name="Password" required="">
        </div>
      <button type="submit" class="btn btn-primary block full-width m-b">Register</button>
    </form>
  </div> 
</div>

Here , I have register user "Diwas Poudel"

User "Diwas Poudel registered successfully. Let's look at postgresql.

user created at postgresql database

Lets login same user

4) In AccountController :Creating Login Action Method

  public ActionResult Login(UserForLoginDTO user)
 {
    var data = db.User.FirstOrDefault(x =>x.username == user.UserName);
    if(data == null)
    {
      return View(user);
    }

    if (!VerifyPasswordHash(user.Password, data.passwordhash, data.passwordsalt))
      return View(user);
    else {
      return Redirect("/home")
      }
  }


 [NonAction]
 private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)
 {
   using(var hmac = new System.Security.Cryptography.HMACSHA512(passwordSalt))
   {
      var computedHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));

      for (int i = 0; i < computedHash.Length; i++)
      {
        if (computedHash[i] != passwordHash[i]) return false;
      }
        return true;
    }
  }

5) View of Login as Login.cshtml

  @{
    ViewBag.Title = "Login";
  }


	<div>

  <div><h2>Simple Login Form</h2></div>

    <form  method="post" action="/Account/Login">
			@Html.AntiForgeryToken()
    <div style="padding-left:8px;padding-right:8px">
      <div class="form-group">
        <input type="text" class="form-control" placeholder="Username" name="UserName" required="">
      </div>
		<div class="form-group">
      <input type="password" class="form-control" placeholder="Password" name="Password" required="">
		</div>
      <button type="submit" class="btn btn-primary">Login</button>
    </div>
	</form>
</div>