HiveBrain v1.2.0
Get Started
← Back to all entries
patterncsharpMinor

Secure password hashing implementation

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
hashingimplementationsecurepassword

Problem

I'm implementing a password hashing method for a website. The code below is part of the User class.

Any pointers on what I could do better?

private string GenerateSalt(int SaltLength) {
    using (var rng = new RNGCryptoServiceProvider()) {
        var salt_bytes = new byte[SaltLength];
        rng.GetNonZeroBytes(salt_bytes);
        return Convert.ToBase64String(salt_bytes);
    }
}

private string GeneratePasswordHash(string Password) {
    //create an hmac hash of the password using the pepper value as the key
    using (var hmacsha = new HMACSHA512(ConvertStringToBytes(ConfigurationManager.AppSettings["PasswordHashPepper"]))) {
        byte[] initial_hash = hmacsha.ComputeHash(ConvertStringToBytes(Password));

        //generate a key value using pbkdf2 that will serve as the password hash
        using (var pbkdf2 = new Rfc2898DeriveBytes(initial_hash, ConvertStringToBytes(this.Salt), int.Parse(ConfigurationManager.AppSettings["PasswordHashWorkFactor"]))) {
            return ConvertBytesToString(pbkdf2.GetBytes(128));
        }
    }
}

private byte[] ConvertStringToBytes(string conversionString) {
    byte[] bytes = new byte[conversionString.Length * sizeof(char)];
    System.Buffer.BlockCopy(conversionString.ToCharArray(), 0, bytes, 0, bytes.Length);
    return bytes;
}

private string ConvertBytesToString(byte[] conversionBytes) {
    char[] chars = new char[conversionBytes.Length / sizeof(char)];
    System.Buffer.BlockCopy(conversionBytes, 0, chars, 0, conversionBytes.Length);
    return new string(chars);
}

public void SetNewPassword(string NewPassword) {
    this.Salt = GenerateSalt(64);
    this.PasswordHash = GeneratePasswordHash(NewPassword);
}

public bool ValidatePassword(string AttemptedPassword) {
    return (GeneratePasswordHash(AttemptedPassword) == this.PasswordHash);
}

Solution

I recommend creating a static class named something like Hash, Crypto or Password depending on your project/context and making these methods public static, instead of making them private methods for the user class.
WARNING!

Unless your password encryption management code is sophisticated enough to manage password scheme versions and handle multi-version-migration complications PasswordHashWorkFactor should not be editable (i.e. by editing the relevant key in the config file). In that case, editing it would cause migration efforts or MORE IMPORTANTLY the attacker with R/W access to the config file can crash the system easily by adding an unnoticeable digit to PasswordHashWorkFactor (add a 0 to 100000). It would take significant time of the admin/dev to figure out the problem in a sophisticated config file while the users cannot log in. You may have it hardcoded as a const at the static class and change it in every major release at the code level. Again this is a matter of convenience vs security trade-off.

Here is my feedback in more detail as an implementation. You may want to check it out.

Context

StackExchange Code Review Q#64764, answer score: 3

Revisions (0)

No revisions yet.