VLC: How do I disable dual audio?
Storing password in plain text in a database is very dangerous because anyone who looked through the database would be able to just read the passwords and if your password may be compromised so your application can be at risk. So, it is better to hash the password and store hashed form password in a database so that if your hashed password is compromised, then they don't expose your password. So, a password is a critical part of any web application.
\r\nPrevention is better than cure, so the correct precautions are better before your data become exposed. So, we the developer is responsible to take the right precautions!
\r\nSo, without wasting time, lets the use of the best approach for storing password :
\r\nHashing a password is the best approach of storing password. Hashing is the practice of using an algorithm to map data of any size to a fixed length. There are many hashing functions like Hash functions like SHA256, SHA512, RipeMD, and whirlpool, HMAC256, HMAC512 etc.
Let’s take a common hashing algorithm SHA-512 and apply HMAC in C#.
\r\n1)Create Model as : UserForRegisterDTO.cs
\r\n\r\n\r\n public class UserForRegisterDTO\r\n\t{\r\n\t\t[Required]\r\n\t\tpublic string Username { get; set; }\r\n\t\tpublic string Password { get; set; }\r\n\t\tpublic int @id { get; set; }\r\n\t\tpublic byte[] PasswordHash { get; set; }\r\n\t\tpublic byte[] PasswordSalt { get; set; }\r\n\t}\r\n\r\n
2) Creating Register Action ins@ide AccountController
\r\n\r\n\r\n [AllowAnonymous]\r\n public ActionResult Register()\r\n {\r\n return View();\r\n }\r\n\r\n [HttpPost]\r\n [AllowAnonymous]\r\n [Val@idateAntiForgeryToken]\r\n public ActionResult Register(UserForRegisterDTO model)\r\n {\r\n User user = new User();\r\n byte[] passwordHash, passwordSalt;\r\n CreatePasswordHash(model.Password,out passwordHash,out passwordSalt);\r\n user.passwordsalt = passwordSalt;\r\n user.passwordhash = passwordHash;\r\n user.username = model.Username;\r\n db.SaveChanges();\r\n return View(model);\r\n }\r\n\r\n [NonAction]\r\n private vo@id CreatePasswordHash(string password, out byte[] passwordHash, out byte[] passwordSalt)\r\n {\r\n using (var hmac = new System.Security.Cryptography.HMACSHA512())\r\n {\r\n passwordSalt = hmac.Key;\r\n passwordHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));\r\n }\r\n }\r\n\r\n\r\n
3)View of Register Action : register.cshtml
\r\n\r\n @{\r\n ViewBag.Title = \"Register\";\r\n }\r\n <div class=\"row\">\r\n <div class=\"col-lg-4\" >\r\n <h3>Register</h3>\r\n <form role=\"form\" action=\"/account/register\" method=\"post\">\r\n @Html.AntiForgeryToken()\r\n <div class=\"form-group\">\r\n <input @type=\"text\" class=\"form-control\" placeholder=\"Username\" name=\"Username\" required=\"\">\r\n </div>\r\n \r\n <div class=\"form-group\">\r\n <input @type=\"password\" class=\"form-control\" placeholder=\"Password\" name=\"Password\" required=\"\">\r\n </div>\r\n <button @type=\"submit\" class=\"btn btn-primary block full-w@idth m-b\">Register</button>\r\n </form>\r\n </div> \r\n</div>\r\n\r\n
Here , I have register user \"Diwas Poudel\"
\r\nUser \"Diwas Poudel registered successfully. Let's look at postgresql.
\r\nLets login same user
\r\n\r\n4) In AccountController :Creating Login Action Method
\r\n\r\n\r\n public ActionResult Login(UserForLoginDTO user)\r\n {\r\n var data = db.User.FirstOrDefault(x =>x.username == user.UserName);\r\n if(data == null)\r\n {\r\n return View(user);\r\n }\r\n\r\n if (!VerifyPasswordHash(user.Password, data.passwordhash, data.passwordsalt))\r\n return View(user);\r\n else {\r\n return Redirect(\"/home\")\r\n }\r\n }\r\n\r\n\r\n [NonAction]\r\n private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)\r\n {\r\n using(var hmac = new System.Security.Cryptography.HMACSHA512(passwordSalt))\r\n {\r\n var computedHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));\r\n\r\n for (int i = 0; i < computedHash.Length; i++)\r\n {\r\n if (computedHash[i] != passwordHash[i]) return false;\r\n }\r\n return true;\r\n }\r\n }\r\n\r\n\r\n
5) View of Login as Login.cshtml
\r\n\r\n\r\n @{\r\n ViewBag.Title = \"Login\";\r\n }\r\n\r\n\r\n\t<div>\r\n\r\n <div><h2>Simple Login Form</h2></div>\r\n\r\n <form method=\"post\" action=\"/Account/Login\">\r\n\t\t\t@Html.AntiForgeryToken()\r\n <div style=\"padding-left:8px;padding-right:8px\">\r\n <div class=\"form-group\">\r\n <input @type=\"text\" class=\"form-control\" placeholder=\"Username\" name=\"UserName\" required=\"\">\r\n </div>\r\n\t\t<div class=\"form-group\">\r\n <input @type=\"password\" class=\"form-control\" placeholder=\"Password\" name=\"Password\" required=\"\">\r\n\t\t</div>\r\n <button @type=\"submit\" class=\"btn btn-primary\">Login</button>\r\n </div>\r\n\t</form>\r\n</div> \r\n\r\n
\r\n\r\n
Lets just visualize it :
\r\nHash of \"a\" using HMAC SHA 512 produces:
\r\n239254CD9E54392DDE39BC8F975F2498
\r\nCF709CAA598CE3762BE282D860DBEA5D
\r\n8034EEE86F19BBDF3EFDAB22C6BE610A
\r\n8908FAF2800AF46243364135E9BB206E
\r\n==================================================================
\r\nHash of \"www.ourtechroom.com\" using HMAC SHA 512 produces:
\r\n3F1E17B76F871F6DDEE681BC90C5F753
\r\n961D3B45B7CC717A62B39CBE3186206E
\r\n298BFA22B37A8CF67767737845992D7C
\r\n496DB5F985F8B255309D4DC9BC2A5EFA
\r\nIn both output is of 128-digit hexadecimal number.
\r\n\r\n
\r\n"},"headline":"Password hashing using HMACSHA512 in asp.net application","image":["https://ourtechroom.com/Images/885251hashyourpassword.webp","https://ourtechroom.com/Images/"],"datePublished":"2019-07-08","dateModified":"2019-07-08","author":{"@type":"Person","name":"Diwas Poudel"},"url":"https://ourtechroom.com/password-hashing-using-HMACSHA512-asp.net-application","publisher":{"@type":"TechBlog","name":"Ourtechroom","logo":{"@type":"ImageObject","url":"https://ourtechroom.com/images/ourtechroom.png"}},"sameAs":null}
Storing password in plain text in a database is very dangerous because anyone who looked through the database would be able to just read the passwords and if your password may be compromised so your application can be at risk. So, it is better to hash the password and store hashed form password in a database so that if your hashed password is compromised, then they don't expose your password. So, a password is a critical part of any web application.
Prevention is better than cure, so the correct precautions are better before your data become exposed. So, we the developer is responsible to take the right precautions!
So, without wasting time, lets the use of the best approach for storing password :
Hashing a password is the best approach of storing password. Hashing is the practice of using an algorithm to map data of any size to a fixed length. There are many hashing functions like Hash functions like SHA256, SHA512, RipeMD, and whirlpool, HMAC256, HMAC512 etc.
Let’s take a common hashing algorithm SHA-512 and apply HMAC in C#.
1)Create Model as : UserForRegisterDTO.cs
public class UserForRegisterDTO { [Required] public string Username { get; set; } public string Password { get; set; } public int id { get; set; } public byte[] PasswordHash { get; set; } public byte[] PasswordSalt { get; set; } }
2) Creating Register Action inside AccountController
[AllowAnonymous] public ActionResult Register() { return View(); } [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public ActionResult Register(UserForRegisterDTO model) { User user = new User(); byte[] passwordHash, passwordSalt; CreatePasswordHash(model.Password,out passwordHash,out passwordSalt); user.passwordsalt = passwordSalt; user.passwordhash = passwordHash; user.username = model.Username; db.SaveChanges(); return View(model); } [NonAction] private void CreatePasswordHash(string password, out byte[] passwordHash, out byte[] passwordSalt) { using (var hmac = new System.Security.Cryptography.HMACSHA512()) { passwordSalt = hmac.Key; passwordHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password)); } }
3)View of Register Action : register.cshtml
@{ ViewBag.Title = "Register"; } <div class="row"> <div class="col-lg-4" > <h3>Register</h3> <form role="form" action="/account/register" method="post"> @Html.AntiForgeryToken() <div class="form-group"> <input type="text" class="form-control" placeholder="Username" name="Username" required=""> </div> <div class="form-group"> <input type="password" class="form-control" placeholder="Password" name="Password" required=""> </div> <button type="submit" class="btn btn-primary block full-width m-b">Register</button> </form> </div> </div>
Here , I have register user "Diwas Poudel"
User "Diwas Poudel registered successfully. Let's look at postgresql.
Lets login same user
4) In AccountController :Creating Login Action Method
public ActionResult Login(UserForLoginDTO user) { var data = db.User.FirstOrDefault(x =>x.username == user.UserName); if(data == null) { return View(user); } if (!VerifyPasswordHash(user.Password, data.passwordhash, data.passwordsalt)) return View(user); else { return Redirect("/home") } } [NonAction] private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt) { using(var hmac = new System.Security.Cryptography.HMACSHA512(passwordSalt)) { var computedHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password)); for (int i = 0; i < computedHash.Length; i++) { if (computedHash[i] != passwordHash[i]) return false; } return true; } }
5) View of Login as Login.cshtml
@{ ViewBag.Title = "Login"; } <div> <div><h2>Simple Login Form</h2></div> <form method="post" action="/Account/Login"> @Html.AntiForgeryToken() <div style="padding-left:8px;padding-right:8px"> <div class="form-group"> <input type="text" class="form-control" placeholder="Username" name="UserName" required=""> </div> <div class="form-group"> <input type="password" class="form-control" placeholder="Password" name="Password" required=""> </div> <button type="submit" class="btn btn-primary">Login</button> </div> </form> </div>
Lets just visualize it :
Hash of "a" using HMAC SHA 512 produces:
239254CD9E54392DDE39BC8F975F2498
CF709CAA598CE3762BE282D860DBEA5D
8034EEE86F19BBDF3EFDAB22C6BE610A
8908FAF2800AF46243364135E9BB206E
==================================================================
Hash of "www.ourtechroom.com" using HMAC SHA 512 produces:
3F1E17B76F871F6DDEE681BC90C5F753
961D3B45B7CC717A62B39CBE3186206E
298BFA22B37A8CF67767737845992D7C
496DB5F985F8B255309D4DC9BC2A5EFA
In both output is of 128-digit hexadecimal number.