1

I have designed a signup page in C# and all users have to enter their password then the program will hash the password before saving it on a database with a SHA512 hashing method.

Now, I want to verify entered password on the login page with the saved password on database.

Below code is the method that I used to hash the passwords.

Now how can I verify entered password on login page???

byte[] infos = System.Text.Encoding.ASCII.GetBytes(txtPassword.Text);
infos = new System.Security.Cryptography.SHA512Managed().ComputeHash(infos);
String hash = System.Text.Encoding.ASCII.GetString(infos);
Improve this question
4
  • You cannot decrypt encrypted password of database. You'll have to encrypt the password you're getting on login page and compare that with the password which is there in the database. If both hash is matching then it is correct else incorrect. Commented Jul 19, 2019 at 10:48
  • @KinjalParmar Please do not throw around "encrypt" and "hashed" as if they were the same. You are confusing OP even further. Commented Jul 19, 2019 at 11:27
  • @Nero Here is a fairly good comprehension: mking.net/blog/… Commented Jul 19, 2019 at 11:31
  • @KinjalParmar I am doing as what you say! I do not want to decrypt password from database but I want to encrypt entered password from login field and compare it with the password on database to verify it! Commented Jul 19, 2019 at 11:32

2 Answers 2

Reset to default
3

The Sha* hash family is not appropriate to store passwords safely, because they are way too fast and can be brute-forced too easily. You should switch to a dedicated password-hash function like BCrypt, Argon2 or PBKDF2, which apply a salt and use key-stretching.

A good BCrypt library is available via Nuget: https://www.nuget.org/packages/BCrypt.Net-Next/

Its usage is very straight foreward:

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
string hashToStoreInDb = BCrypt.HashPassword(password);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from existingHashFromDb.
bool isPasswordCorrect = BCrypt.Verify(password, existingHashFromDb);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Are SHA-3 also not secure for passwords ?
@KunalMukherjee - Have a look at this benchmark, there you can see that one can still calculate about 1 Giga SHA-3 / sec with a common GPU. This is because the SHA hashes are designed to be fast and not for hashing passwords. That's why password-hash functions always offer a cost factor which can control the required time to do a single calculation.
0

What about writing code like this: 

using System;
using System.Text;
using System.Security.Cryptography;
using CodeShare.Cryptography;

namespace CodeShare.Cryptography
{
    public static class SHA
    {

        public static string GenerateSHA512String(string inputString)
        {
            SHA512 sha512 = SHA512Managed.Create();
            byte[] bytes = Encoding.UTF8.GetBytes(inputString);
            byte[] hash = sha512.ComputeHash(bytes);
            return GetStringFromHash(hash);
        }

        private static string GetStringFromHash(byte[] hash)
        {
            StringBuilder result = new StringBuilder();
            for (int i = 0; i < hash.Length; i++)
            {
                result.Append(hash[i].ToString("X2"));
            }
            return result.ToString();
        }

    }
}

Example:

public void UsageExample()
  {

    Console.WriteLine(SHA.GenerateSHA512String("abc"));
    //returns DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F
  }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.