Csharp (asp.net core MVC) and Howto secure password (salted password) Updated 190721

This article cover these topics:

  1. Plain password
  2. Encrypted passwords using SHA1
  3. Encrypted passwords using SHA1+Salt
  4. Encrypted passwords using RFC2898 password (TBD)
  5. Encrypted password using OAuTH-service (TBD)

1 Plain passwords
When you create a webpage and you would like to create a login and password for the users to login you will have to consider how the password will be stored in a database. The simplest way and most insecure way is to store the plain password in a database. One big disadvantage is that everybody hat gain access to the database can read the password and use it to login. Many people use the same password for different login pages and if one database with password is lost, an intruder can use these password to gain access to the login pages.

$r TBD

2 Encrypted passwords using SHA1

One way to solve this is to encrypt th password before the password is stored in the database. You could of course create your own encryption, but there are several standard encrypters that can be used. One of them is SHA1. When the user type in the password, the software must first encrypt the password and then compare the encryptet password with the encrypted password stored in a datapase to grant the user access. One drawback is: the same password gives the same encrypted password. An entruder that cracks one password also knows the password for different users with the same password. One other drawback is SHA1 is simple to crack.

//Create user
//===========
using (DbModels dbModel = new DbModels())
{        
    if (dbModel.logintable2.Any(x => x.user == login.user))
    {
        ViewBag.DuplicateMessage = "Username already exists.";
        return View("AddOrEdit", login);
    }

    //Create SHA1 Password
    login.passwd = CreateSHA1Passwd(login.passwd);
           
    login.Confirmpasswd = login.passwd;

    dbModel.logintable2.Add(login);
    dbModel.SaveChanges();
                  
    ................
            
//Verify Password
//==============    
if (!VerifyPassword(login.passwd, userList[0].passwd,userList[0].salt))
{
    ViewBag.DuplicateMessageLogin = "Wrong username or password";
    return View("AddOrEdit", login);
}
else
{
    FormsAuthentication.SetAuthCookie(login.user, false);
    return RedirectToAction("ShopmainView", "Shopmain");
    ....... 

//Common subrutines
//=================
public static bool VerifyPassword(string enteredPassword, string storedHash)
{
    var SHA1Password = CreateSHA1Passwd(enteredPassword);
    return (SHA1Password==storedHash);
}
       
public static string CreateSHA1Passwd(string enteredPassword)
{
    // Create SHA1-Hash
    var sha1 = new System.Security.Cryptography.SHA1Managed();
    var plaintextBytes = Encoding.UTF8.GetBytes(enteredPassword);
    var hashBytes = sha1.ComputeHash(plaintextBytes);

    var stringbuild = new StringBuilder();
    foreach (var hashByte in hashBytes)
    {
       stringbuild.AppendFormat("{0:x2}", hashByte);
    }
    return stringbuild.ToString();
}

3 Encrypted passwords using SHA1+Salt

To make it harder for an intruder to crack passwords is to use i secret random string that is either concatenated to the end or at the beginning of the password, before storing it in a database. The random string, also called a salt, is different for different users and must also be stored and should be stored in a different database. If an intruder get access to one database with encrypted passwords, it is harder for the intruder to break a password. If the intruder cracks one password, the same password is stored in a different encrypted password. One drawback is still that SHA1 is simple to crack.

//Create user
//===========
//Create Salt
string Salt = GenerateSalt(32);
login.salt = Salt;
login.passwd = login.passwd + Salt;
//OR
//login.passwd = Salt+login.passwd;
        
//Create Salted SHA1 Password
login.passwd=CreateSHA1Passwd(login.passwd);
......................

//Verify Password
//==============
if (!VerifyPassword(login.passwd, userList[0].passwd,userList[0].salt))
{
   ViewBag.DuplicateMessageLogin = "Wrong username or password";
   return View("AddOrEdit", login);
}
   else
{
FormsAuthentication.SetAuthCookie(login.user, false);
return RedirectToAction("ShopmainView", "Shopmain");
.......................

//Common subrutines
//=============================
public static bool VerifyPassword(string enteredPassword, string storedHash, string storedSalt)
{
    var saltedPassword=enteredPassword+storedSalt;
    var SHA1saltedPassword = CreateSHA1Passwd(saltedPassword);
    return (SHA1saltedPassword==storedHash);
}
     
public static string GenerateSalt(int SaltLength)
{
    string ValidSaltChar = "abcdefghijklmnopqrstuvwxyzA" +
           "BCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!#¤%&/()=?";

    Random RndChar = new Random();
    string Randomstr = "";
    for (int i = 0; i < SaltLength; i++)
    {
         //randomstring += ((char)(RndChar.Next(1, 26) + 64)).ToString();
         var rndnumber = RndChar.Next(1, ValidSaltChar.Length);
         Randomstr += ValidSaltChar.Substring(rndnumber, 1);
    }
    return Randomstr;
}
       
public static string CreateSHA1Passwd(string enteredPassword)
{
    // Create SHA1-Hash
    var sha1 = new System.Security.Cryptography.SHA1Managed();
    var plaintextBytes = Encoding.UTF8.GetBytes(enteredPassword);
    var hashBytes = sha1.ComputeHash(plaintextBytes);

    var stringbuild = new StringBuilder();
    foreach (var hashByte in hashBytes)
    {
        stringbuild.AppendFormat("{0:x2}", hashByte);
    }
    return stringbuild.ToString();
}

4 Encrypted passwords using RFC2898+Salt

TBSince SHA1 is too weak u should use a more secure way and that is RFC2898+Salt INCE D}

The following code show how to receive the variable temperature and convert it into a variable in powershell.

Invo

Yo