How to Hash Password In ASP.NET Core

How to Hash Password In ASP.NET Core

In this article, you’ll learn Hashing In ASP.NET Core application on the .NET Core framework. when you’re dealing with people’s information. for example, you have a website that has user accounts on the Shopping website or whatever store. the password safely is very important hashing. the password is very important because most people use the same password across different types of services online. and if you don’t hash it properly if or attacker grabs the database.

When you’re hashing passwords it’s not good enough to store it in the database using a simple hash MD5, SHA-1, SHA-224, SHA-256 because when you create a hash, it has the same output. It means to say is that the output never changes for the hash and if you have a user base of or thousands or say millions of people chances are that that quite a few people are going to have the same password and if you actually have a hash with not your security.

So, we’re going to be dealing with salting and hashing the passwords salting is basically adding a random string of bytes to a user’s password. so that if two people user A and user B has the word dog as a password which is a very terrible password with the random salt. they’ll be creating for each one it will come out hash differently in the database so if one person is compromised then the other person is not but, of course, you want to choose a stronger password one that’s longer that mixes a matches numbers with lowercase uppercase special characters.

Let’s go, ahead and start creating some simple hash and create the salt function you can define the size of the actual salt.

How to use Hash Data

The new Data Protection .NET Core API includes functionality to create hashes utilizing PBKDF2algorithm. ASP.NET Core utilizes this in the background scenes functionality in PasswordHasher class, which is used in ASP.NET Core Identity.

Create a class library and add the following NuGet package –

Using Namespace Microsoft.AspNetCore.Cryptography.KeyDerivation and Add a class to encapsulate the hashing logic.

public class Hash  
{  
 public static string Create(string value, string salt)  
 {  
	 var valueBytes = KeyDerivation.Pbkdf2(  
						 password: value,  
						 salt: Encoding.UTF8.GetBytes(salt),  
						 prf: KeyDerivationPrf.HMACSHA512,  
						 iterationCount: 10000,  
						 numBytesRequested: 256 / 8);  

	 return Convert.ToBase64String(valueBytes);  
 }  

 public static bool Validate(string value, string salt, string hash)  
	 => Create(value, salt) == hash;  
} 

Add a class following to encapsulate the logic for creating a random salt.

public class Salt  
{  
     public static string Create()  
     {  
         byte[] randomBytes = new byte[128 / 8];  
         using (var generator = RandomNumberGenerator.Create())  
         {  
             generator.GetBytes(randomBytes);  
             return Convert.ToBase64String(randomBytes);  
         }  
     }  
}

After that, Add tests to verify the functionality, e.g,

public void Untampered_hash_matches_the_text()  
{  
  // Arrange  
  var message = "passw0rd";  
  var salt = Salt.Create();  
  var hash = Hash.Create(message, salt);  

  // Act  
  var match = Hash.Validate(message, salt, hash);  

  // Assert  
  Assert.True(match);  
}  
  
  [Fact(DisplayName = "Tampered_hash_does_not_matche_the_text")]  
  public void Tampered_hash_does_not_matche_the_text()  
  {  
      // Arrange  
      var message = "passw0rd";  
      var salt = Salt.Create();  
      var hash = "blahblahblah";  
  
      // Act  
      var match = Hash.Validate(message, salt, hash);  
  
      // Assert  
      Assert.False(match);  
  }  
  
  [Fact(DisplayName = "Hash_of_two_different_messages_dont_match")]  
  public void Hash_of_two_different_messages_dont_match()  
  {  
      // Arrange  
      var message1 = "passw0rd";  
      var message2 = "password";  
      var salt = Salt.Create();  
  
      // Act  
      var hash1 = Hash.Create(message1, salt);  
      var hash2 = Hash.Create(message2, salt);  
  
      // Assert  
      Assert.True(hash1 != hash2);  
  } 

Leave a Reply

Your email address will not be published. Required fields are marked *