Hashing Passwords Using Enterprise Library 2.0 Cryptography Application Block
by David Hayden ( .NET Developer )
Storing user passwords in your database is necessary, but storing them in clear text is bad. A security best practice is to hash the user passwords so they cannot be deciphered. The next time the user enters his/her password, it is hashed as before and the hashed version just entered is compared to the hashed version in the database. If they are equal, the passwords are identical.
If the user forgets his password, it is tough love, because the application doesn't know what the original password is - just the hashed version. A password will need to be automatically generated by the application and sent to the user at the email address provided during registration. This is only a temporary password, however, as the user will need to add a new password with the hashed version once again entered into the database.
Hashing Passwords Using Enterprise Library 2.0 Cryptography Application Block
The Enterprise Library 2.0 Cryptography Application Block can assist you with hashing and comparing hashed passwords. You can select from a number of hash providers in the .NET 2.0 Framework or create your own:
The key to everything you do in Enterprise Library 2.0 is to use the Enterprise Library 2.0 Configuration Tool. Shown below I have chosen to use the SHA1Managed Hash Provider for hashing my passwords. I have also chosen to have the Cryptography Application Block add a salt to mix things up a bit.
Hashing Passwords Using C# and Enterprise Library 2.0
As mentioned in the previous article:
the Cryptographer Class is responsible for handling all cryptography needs ( encryption and hashing ) for your windows and web applications.
Hashing a password is as simple as:
// Convert password to byte array
byte[] password = Encoding.Unicode
.GetBytes("password");
// Convert password byte array to hash.
// The SHA1Managed Hash Provider has been
// named "MyHasher" in the config file.
byte[] hashedPassword = Cryptographer.
CreateHash("MyHasher", password);
As mentioned above, “MyHasher“ is the name I had chosen for the SHA1Managed Hash Provider. You can see the name here in the abbreviated web.config file:
<hashProviders>
<add algorithmType="System.Security.Cryptography
.SHA1Managed..."
saltEnabled="true" type="Microsoft.Practices.
EnterpriseLibrary.Security.Cryptography..."
name="MyHasher" />
</hashProviders>
Comparing Hashed Passwords Using C# and Enterprise Library 2.0
When the user enters his/her password, your application will need to hash the user's password and then compare it with the hashed version on file. The Enterprise Library 2.0 Cryptography Application Block provides this need as well using the CompareHash method of the Cryptographer Class:
// Convert password to byte array
byte[] password = Encoding.Unicode.
GetBytes("password");
// Convert password byte array to hash.
// The SHA1Managed Hash Provider has been
// named "MyHasher" in the config file.
// Pretend this came from database.
byte[] origHashedPassword = Cryptographer.
CreateHash("MyHasher", password);
// Password entered by user.
byte[] passwordEntered = Encoding.Unicode.
GetBytes("password");
// Compare the passwords
bool isMatch = Cryptographer.CompareHash
("MyHasher", passwordEntered,
origHashedPassword);
if (isMatch)
{
// Passwords Match
}
Conclusion
The Enterprise Library 2.0 Cryptography Application Block makes hashing user passwords and comparing hashed passwords a breeze in your .NET winform and ASP.NET web applications.
Source: David Hayden ( .NET Developer )
Enterprise Library 2.0 Tutorials and Examples