current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.
up vote 5 down vote favorite

I'm implementing a password hashing method for a website. The code below is part of the User class.

Any pointers on what I could do better?

private string GenerateSalt(int SaltLength) {
    using (var rng = new RNGCryptoServiceProvider()) {
        var salt_bytes = new byte[SaltLength];
        rng.GetNonZeroBytes(salt_bytes);
        return Convert.ToBase64String(salt_bytes);
    }
}

private string GeneratePasswordHash(string Password) {
    //create an hmac hash of the password using the pepper value as the key
    using (var hmacsha = new HMACSHA512(ConvertStringToBytes(ConfigurationManager.AppSettings["PasswordHashPepper"]))) {
        byte[] initial_hash = hmacsha.ComputeHash(ConvertStringToBytes(Password));

        //generate a key value using pbkdf2 that will serve as the password hash
        using (var pbkdf2 = new Rfc2898DeriveBytes(initial_hash, ConvertStringToBytes(this.Salt), int.Parse(ConfigurationManager.AppSettings["PasswordHashWorkFactor"]))) {
            return ConvertBytesToString(pbkdf2.GetBytes(128));
        }
    }
}

private byte[] ConvertStringToBytes(string conversionString) {
    byte[] bytes = new byte[conversionString.Length * sizeof(char)];
    System.Buffer.BlockCopy(conversionString.ToCharArray(), 0, bytes, 0, bytes.Length);
    return bytes;
}

private string ConvertBytesToString(byte[] conversionBytes) {
    char[] chars = new char[conversionBytes.Length / sizeof(char)];
    System.Buffer.BlockCopy(conversionBytes, 0, chars, 0, conversionBytes.Length);
    return new string(chars);
}

public void SetNewPassword(string NewPassword) {
    this.Salt = GenerateSalt(64);
    this.PasswordHash = GeneratePasswordHash(NewPassword);
}

public bool ValidatePassword(string AttemptedPassword) {
    return (GeneratePasswordHash(AttemptedPassword) == this.PasswordHash);
}
share|improve this question

2 Answers 2

up vote 2 down vote accepted

You can use the Encoding class to convert between strings and byte arrays, for example Encoding.UTF8.GetString and Encoding.UTF8.GetBytes. That gives data without the extra padding between each character code, so it's less predictable.

64 bytes of crypto strength data seems overkill for a salt. The salt isn't kept secret so it doesn't have to be that unpredictable. It's only there to create a padding that is practically unique for each user, to prevent use of dictionary attacks and rainbow tables, so it doesn't have to be so very massive.

According to the answers to the question How big salt should be?, 8 bytes is enough for any reasonably large system accoring to the standard, and 16 bytes give plenty of margin for any system imaginable.

share|improve this answer
up vote 0 down vote

Generally, if you can, use libraries for cryptographic problems.

So, you want to implement some sort of cryptography in your software or hardware project. Great. If you fuck this up people aren't going to be just mad like they might be with other bugs. They might be in prison or they might have been assassinated.

Sean Cassidy http://blog.seancassidy.me/so-you-want-to-crypto.html

Other than that, you are hashing passwords with user-specific salts, which seems good. Only question left is whether your hashing algorithms are good enough.

As an aside: I would reconsider putting the crypto code in the user class. It really isn't a user problem, but that is an aside.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.