1001binary

Posted on Feb 22, 2021

Hashing Password combining with Salt in C# and VB.NET

#csharp #dotnet #password #security

In this post, I show you how to protect password using hash-salt mechanism.

Hashing password using salt is one of the best practices in protecting user accounts from hackers and who you don't want anyone to see plain-text passwords in databases or text files. This is really great. In case hackers have stolen databases, they also need more time to decryte them. It won't be easy at all. At the same time, you have time to reset all passwords or suggest users to change passwords right away.

My background is .NET developer. That's why I have written two simple functions in C# and VB.NET as below.

public class SecurityHelper
{
    public static string GenerateSalt(int nSalt)
    {
        var saltBytes = new byte[nSalt];

        using (var provider = new RNGCryptoServiceProvider())
        {
            provider.GetNonZeroBytes(saltBytes);
        }

        return Convert.ToBase64String(saltBytes);
    }

    public static string HashPassword(string password, string salt, int nIterations, int nHash)
    {
        var saltBytes = Convert.FromBase64String(salt);

        using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, nIterations))
        {
            return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash));
        }
    }
}

VB.NET

Public Class SecurityHelper
    Public Shared Function GenerateSalt(ByVal nSalt As Integer) As String
        Dim saltBytes = New Byte(nSalt) {}

        Using provider = New RNGCryptoServiceProvider()
            provider.GetNonZeroBytes(saltBytes)
        End Using

        Return Convert.ToBase64String(saltBytes)
    End Function

    Public Shared Function HashPassword(ByVal password As String, ByVal salt As String, ByVal nIterations As Integer, ByVal nHash As Integer) As String
        Dim saltBytes = Convert.FromBase64String(salt)

        Using rfc2898DeriveBytes = New Rfc2898DeriveBytes(password, saltBytes, nIterations)
            Return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash))
        End Using
    End Function
End Class

For example:

string pwd = "123Abc#@";
string salt = SecurityHelper.GenerateSalt(70);
string pwdHashed = SecurityHelper.HashPassword(pwd, salt, 10101, 70);
Console.WriteLine(pwdHashed);
Console.WriteLine(salt);

Hope you enjoy this post.

Happy coding :)

Top comments (4)

Mganda • Dec 18 '22

From what you have, this is how you would verify password:

public static bool verifypassword(string password, string hashed_password, string salt)
        {
            string new_hashed = HashPassword(password, salt, 1000);
            return new_hashed.Equals(hashed_password);
        }

Krammig • Sep 10 '22

I guess the question by @parajdox was - How to verify the user against the Hashed password

John Dave Dalmao • May 10 '21

how do we decrypt this?

juliancollinson • Jul 14 '21 • Edited

The main point of any hash algorithm is that it works only one way.
Decrypt should be impossible after the hash operation is done.
Generally this works perfect for passwords because there is no need to decrypt the hashed password, you just need to hash the password inserted in the login form and compare it with the hash saved in the db

DEV Community

Hashing Password combining with Salt in C# and VB.NET

Top comments (4)

Read next

Nodejs Security - What You Need To Know - Live Stream

Quick guide to secure/encrypt your properties in MuleSoft

Env vs AppSettings, Want to keep your Env?

Gentle introduction to IDataProtector (C#)