Nov 03, 2013 Hello, been trying for a few days now trying to get hashcat to work, cracking a MD5 hash with salt. This is just a quick example or what I am trying to do.
- Crack Hash Password With Salt
- Crack The Hash
- Password Hash Salt
- Salt Hash Decrypt
- Crack Hash Password With Salt Powder
Active2 months ago
I was just going through one of DavidHayden's articles on Hashing User Passwords.
Really I can't get what he is trying to achieve.
Here is his code:
Is there any other C# method for hashing passwords and adding salt to it?
DuckMaestro9,8588 gold badges54 silver badges79 bronze badges
ACPACP19k91 gold badges209 silver badges352 bronze badges
13 Answers
Actually this is kind of strange, with the string conversions - which the membership provider does to put them into config files. Hashes and salts are binary blobs, you don't need to convert them to strings unless you want to put them into text files.
In my book, Beginning ASP.NET Security, (oh finally, an excuse to pimp the book) I do the following
The salt generation is as the example in the question. You can convert text to byte arrays using
Encoding.UTF8.GetBytes(string)
. If you must convert a hash to its string representation you can use Convert.ToBase64String
and Convert.FromBase64String
to convert it back.Crack Hash Password With Salt
You should note that you cannot use the equality operator on byte arrays, it checks references and so you should simply loop through both arrays checking each byte thus
Always use a new salt per password. Salts do not have to be kept secret and can be stored alongside the hash itself.
Bern5,9754 gold badges28 silver badges41 bronze badges
blowdartblowdart48.4k10 gold badges94 silver badges139 bronze badges
What blowdart said, but with a little less code. Use Linq or
CopyTo
to concatenate arrays.Linq has an easy way to compare your byte arrays too.
Before implementing any of this however, check out this post. For password hashing you may want a slow hash algorithm, not a fast one.
To that end there is the
Rfc2898DeriveBytes
class which is slow (and can be made slower), and may answer the second part of the original question in that it can take a password and salt and return a hash. See this question for more information. Note, Stack Exchange is using Rfc2898DeriveBytes
for password hashing (source code here).Community♦
Adam BoddingtonAdam BoddingtonCrack The Hash
5,9952 gold badges16 silver badges12 bronze badges
I've been reading that hashing functions like SHA256 weren't really intended for use with storing passwords:https://patrickmn.com/security/storing-passwords-securely/#notpasswordhashes
Instead adaptive key derivation functions like PBKDF2, bcrypt or scrypt were. Here is a PBKDF2 based one that Microsoft wrote for PasswordHasher in their Microsoft.AspNet.Identity library:
Note this requires Microsoft.AspNetCore.Cryptography.KeyDerivation nuget package installed which requires .NET Standard 2.0 (.NET 4.6.1 or higher). For earlier versions of .NET see the Crypto class from Microsoft's System.Web.Helpers library.
Update Nov 2015
Updated answer to use an implementation from a different Microsoft library which uses PBKDF2-HMAC-SHA256 hashing instead of PBKDF2-HMAC-SHA1 (note PBKDF2-HMAC-SHA1 is still secure if iterCount is high enough). You can check out the source the simplified code was copied from as it actually handles validating and upgrading hashes implemented from previous answer, useful if you need to increase iterCount in the future.
MichaelMichaelUpdated answer to use an implementation from a different Microsoft library which uses PBKDF2-HMAC-SHA256 hashing instead of PBKDF2-HMAC-SHA1 (note PBKDF2-HMAC-SHA1 is still secure if iterCount is high enough). You can check out the source the simplified code was copied from as it actually handles validating and upgrading hashes implemented from previous answer, useful if you need to increase iterCount in the future.
8,1602 gold badges49 silver badges48 bronze badges
Salt is used to add an extra level of complexity to the hash, to make it harder to brute-force crack.
From an article on Sitepoint:
A hacker can still perform what's called a dictionary attack. Malicious parties may make a dictionary attack by taking, for instance, 100,000 passwords that they know people use frequently (e.g. city names, sports teams, etc.), hash them, and then compare each entry in the dictionary against each row in the database table. If the hackers find a match, bingo! They have your password. To solve this problem, however, we need only salt the hash.
To salt a hash, we simply come up with a random-looking string of text, concatenate it with the password supplied by the user, then hash both the randomly generated string and password together as one value. We then save both the hash and the salt as separate fields within the Users table.
In this scenario, not only would a hacker need to guess the password, they'd have to guess the salt as well. Adding salt to the clear text improves security: now, if a hacker tries a dictionary attack, he must hash his 100,000 entries with the salt of every user row. Although it's still possible, the chances of hacking success diminish radically.
Chess free download windows 8. Nov 22, 2017 Free Download Chess For Windows. Free Download Chess PC Games For Windows 7/8/8.1/10/XP. Free Download Chess PC Games For Windows Full Version and start playing now and rember it’s Racing Games For Windows,it’s the best Free PC games for kids, girls and boys!All listed games for pc are absolutely free games download for windows! It’s Car Racing Games,best racing. Chess game for windows 8 free download - Chess Masters Online for Windows 8, The Chess Lv.100 for Windows 8, Chess By Post Free for Windows 8, and many more programs.
There is no method automatically doing this in .NET, so you'll have go with the solution above.
Seb NilssonSeb Nilsson14.4k29 gold badges90 silver badges115 bronze badges
I created a class that has the following method:
- Create Salt
- Hash Input
- Validate input`
Bamidele AlegbeBamidele Alegbe
Bah, this is better! http://sourceforge.net/projects/pwdtknet/ and it is better because ... it performs Key Stretching AND uses HMACSHA512 :)
thashiznetsthashiznets
I have made a library SimpleHashing.Net to make the process of hashing easy with basic classes provided by Microsoft. Ordinary SHA is not really enough to have passwords stored securely anymore.
Eltima virtual serial port driver. Eltima Virtual Serial Port ActiveX Control is a powerful tool for professional developers that allows your application to create custom additional virtual serial port in system and fully control it. Eltima Virtual Serial Port ActiveX Control is a powerful tool for professional developers that allows your application to create custom additional virtual serial port in system and fully control it. You can view parameters information of a virtual serial port, set by other application. You can view parameters information of a virtual serial port, set by other application.
The library use the idea of hash format from Bcrypt, but since there is no official MS implementation I prefer to use what's available in the framework (i.e. PBKDF2), but it's a bit too hard out of the box.
Password Hash Salt
This is a quick example how to use the library:
Ilya ChernomordikIlya Chernomordik11.2k8 gold badges53 silver badges101 bronze badges
This is how I do it. I create the hash and store it using the
iliketocodeProtectedData
api:5,7394 gold badges33 silver badges49 bronze badges
JGUJGU
I read all answers and I think those enough, specially @Michael articles with slow hashing and @CodesInChaos good comments, but I decided to share my code snippet for hashing/validating that may be useful and it does not require [Microsoft.AspNet.Cryptography.KeyDerivation].
Please pay attention SlowEquals function that is so important, Finally, I hope this help and Please don't hesitate to advise me about better approaches.
Salt Hash Decrypt
QMasterQMaster2,5181 gold badge28 silver badges48 bronze badges
Use the
System.Web.Helpers.Crypto
NuGet package from Microsoft. It automatically adds salt to the hash.You hash a password like this:
var hash = Crypto.HashPassword('foo');
You verify a password like this:
var verified = Crypto.VerifyHashedPassword(hash, 'foo');
Kai HartmannKai Hartmann
ankush shuklaankush shukla
In answer to this part of the original question 'Is there any other C# method for hashing passwords' You can achieve this using ASP.NET Identity v3.0 https://www.nuget.org/packages/Microsoft.AspNet.Identity.EntityFramework/3.0.0-rc1-final
Dave CornallDave Cornall
sateesh7,4882 gold badges16 silver badges39 bronze badges
ehsanehsan