Just a question, why are you using sha256 managed? why not use cryptoserviceprovider? i heard the cryptoserviceprovider is a drop-in replacement for managed. Didn't it exist when you made this video? do you have a reason to use managed? or was my statement invalid?
Hey, Chris. Let me know if I'm wrong, but from this example I think the salt + hash password you are going to have when you register is different from the one when you are going to login.
Hey Domicio. If I think I understand your concern it is that when you register into a page/website, your application itself always creates the salt randomnly. So how does the person login without knowing the salt.? If that's true there are a couple of things you can do to get passed that issue. When you register, a salt gets created for you, at the same time your username and password you choose also gets stored (among possibly other items, such as your first name, last name, email, etc.). When you try to login, you put your username and password. So how does your program get the salt? The way I do it is that I first grab all the salts from the database where the username column in the database matches the username you just entered in. (Sql query string: SELECT salt FROM database WHERE UNAME='username') Of course you'd want to use parameterized strings/prepared statements to prevent SQL injection. After that, just plug in one by one the salt with the password you entered in the login screen to see if it logs in. I've coded it that way in sample website programs I have and that works fine. Another way that works, is to not even code the salting and hashing yourself. You can use ASP.NET's membership provider, which handles all of that for you. It can greatly reduce the amount of code you write in your application.
Chris Duran Thank you, man. That was very helpful and thank you again for replying my doubt. Today I used you method to create a hash + salt for my application and that is working fine. I'm going to try the method you said about testing every salt with my password. Great explanation, see ya man.
Domício Medeiros Not a problem! Just FYI, I am going to put up a video within a couple weeks showing the step by step on doing what we discussed above! But have at it as well, happy coding! :)
Chris i managed to use your tutorial save the hashed password into the database , but how do i then match the password when a user tries to log in using the same credentials when he/she logs in again, please help.
Thanks nikoo! I'm not sure what you mean by re-hash, hashes are one way functions where after you hash them there is no way to "unhash" them. You can check out this video ruclips.net/video/JyfgHxe7BL4/видео.html where I show how to hash using MD5 and SHA256. Hope this helps.
You have given this size of the salt as 10 but the output generated is 16 characters. Why so? and the size of the salt with SHA256 is 64, is it correct ?
Hey Chris, I have implemented your logic in my web service in the Register module and thats working fine and the salt and hash are being stored along with the rest of the user info in the db. However I'm working on the Change Password module now, I have three fields on the form Old Password, New Password and Confirm New Password. When the user enters all 3 fields I need to compare the old salt and hash in the DB with the salt and hash of the password in the New Password field to validate the user. How can I do that ? In short I'm looking for the verify password function. Any help with that will be much appreciated. This will also be used later on in my login function. Thanks.
If i use the salt just so that the hacker doesn't figure out my password when he's broken into the database, but i store the salt into the database, doesn't that make the whole process with the salt pointless, i mean he could get the salt and use it to dehash the password
valentin asparuhov That's very true. Things are never as simple as they seem. You can see how cyber security is never 100% secure, even if people claim their systems are. As for me, I'd also encrypt the salt within the database itself. The encryption key would be in the Web.Config file with the file itself also being encrypted. That way if someone breaks into the database they still wouldn't have the salt in plain text.
Chris Duran please help me there how's hacked my password in planetwin365 acount i stil using my acount with last password and if i chnage ather pc i can't
Chris Duran please help me there how's hacked my password in planetwin365 acount i stil using my acount with last password and if i chnage ather pc i can't
vaibhav mestry the purpose of hashing is to store as a hash.. the purpose is to encrypt the incoming password with the stored one.. instead of decrypting the stored one and comparing it with incoming one... to provide better security! 😆
I couldn't find that ByteArrayToHexString(hash) function that he said he once created in "another" video (wow). Instead I used Convert.ToBase64String(hash) and it worked fine.
wow this is about a year old. hope you got it by now.. in case not, you have to write a function. public static string ByteArrayToHexString(byte[] ba) { StringBuilder hex = new StringBuilder(ba.Length * 2); foreach (byte b in ba) hex.AppendFormat("{0:x2}", b); return hex.ToString(); } should work after that.
Hey Chris...Thanks so much for this. Can you please also do a video on validating the Old Password. I need this real urgently so if you can get it up as soon as possible, I will much appreciate it. Thanks.
Just a question, why are you using sha256 managed? why not use cryptoserviceprovider? i heard the cryptoserviceprovider is a drop-in replacement for managed. Didn't it exist when you made this video? do you have a reason to use managed? or was my statement invalid?
Good Video, couldn't find the ByteArrayToHexString() method though.
Hey, Chris. Let me know if I'm wrong, but from this example I think the salt + hash password you are going to have when you register is different from the one when you are going to login.
Hey Domicio. If I think I understand your concern it is that when you register into a page/website, your application itself always creates the salt randomnly. So how does the person login without knowing the salt.?
If that's true there are a couple of things you can do to get passed that issue.
When you register, a salt gets created for you, at the same time your username and password you choose also gets stored (among possibly other items, such as your first name, last name, email, etc.).
When you try to login, you put your username and password. So how does your program get the salt? The way I do it is that I first grab all the salts from the database where the username column in the database matches the username you just entered in. (Sql query string: SELECT salt FROM database WHERE UNAME='username')
Of course you'd want to use parameterized strings/prepared statements to prevent SQL injection.
After that, just plug in one by one the salt with the password you entered in the login screen to see if it logs in. I've coded it that way in sample website programs I have and that works fine.
Another way that works, is to not even code the salting and hashing yourself. You can use ASP.NET's membership provider, which handles all of that for you. It can greatly reduce the amount of code you write in your application.
Chris Duran Thank you, man. That was very helpful and thank you again for replying my doubt. Today I used you method to create a hash + salt for my application and that is working fine. I'm going to try the method you said about testing every salt with my password.
Great explanation, see ya man.
Domício Medeiros Not a problem! Just FYI, I am going to put up a video within a couple weeks showing the step by step on doing what we discussed above! But have at it as well, happy coding! :)
Nice, let me know if you need some help. =)
Chris i managed to use your tutorial save the hashed password into the database , but how do i then match the password when a user tries to log in using the same credentials when he/she logs in again, please help.
Hi Chris, Thanks for a great video. How you re hash the password in your program?
Thanks nikoo! I'm not sure what you mean by re-hash, hashes are one way functions where after you hash them there is no way to "unhash" them. You can check out this video ruclips.net/video/JyfgHxe7BL4/видео.html where I show how to hash using MD5 and SHA256. Hope this helps.
Yes, Chris So after I asked my question I found out that. Thank you so much.
no problem!
You have given this size of the salt as 10 but the output generated is 16 characters. Why so? and the size of the salt with SHA256 is 64, is it correct ?
Hey Chris, I have implemented your logic in my web service in the Register module and thats working fine and the salt and hash are being stored along with the rest of the user info in the db. However I'm working on the Change Password module now, I have three fields on the form Old Password, New Password and Confirm New Password. When the user enters all 3 fields I need to compare the old salt and hash in the DB with the salt and hash of the password in the New Password field to validate the user. How can I do that ? In short I'm looking for the verify password function. Any help with that will be much appreciated. This will also be used later on in my login function. Thanks.
Are Salts stored on the local machine? As there not stored in the database??
Hey, can you make another video of decryption with salt?
very nice demo, thank you for it
If i use the salt just so that the hacker doesn't figure out my password when he's broken into the database, but i store the salt into the database, doesn't that make the whole process with the salt pointless, i mean he could get the salt and use it to dehash the password
valentin asparuhov That's very true. Things are never as simple as they seem. You can see how cyber security is never 100% secure, even if people claim their systems are. As for me, I'd also encrypt the salt within the database itself. The encryption key would be in the Web.Config file with the file itself also being encrypted. That way if someone breaks into the database they still wouldn't have the salt in plain text.
Chris Duran please help me there how's hacked my password in planetwin365 acount i stil using my acount with last password and if i chnage ather pc i can't
Chris Duran please help me there how's hacked my password in planetwin365 acount i stil using my acount with last password and if i chnage ather pc i can't
+valentin asparuhov Congrats on your observation.
nevres jahic thank you
Idk if it's just me but it sounds like you're typing with a bunch of mini sledgehammers
thats nice way to encrypt but how to decrypt the same and get back original password?
Hi vaibhav its not the purpose of hashing . You must use encryptation to do that.
vaibhav mestry the purpose of hashing is to store as a hash.. the purpose is to encrypt the incoming password with the stored one.. instead of decrypting the stored one and comparing it with incoming one... to provide better security! 😆
Is it still secure this day?
How to generate 48 characters Hashpassword only
But then how to validate?
My question is where to keep salt now?
You would keep that in the Database. Your application would randomly generate it, then store it.
thank u good sir
Not a problem!
Sir first video link send kar dan plz. ?
cool i subbed
I couldn't find that ByteArrayToHexString(hash) function that he said he once created in "another" video (wow). Instead I used Convert.ToBase64String(hash) and it worked fine.
wow this is about a year old. hope you got it by now.. in case not, you have to write a function.
public static string ByteArrayToHexString(byte[] ba)
{
StringBuilder hex = new StringBuilder(ba.Length * 2);
foreach (byte b in ba)
hex.AppendFormat("{0:x2}", b);
return hex.ToString();
}
should work after that.
@@emanuelsanchez4057 Thanks for you comment man, really helped me out!
you saved me lots of time thank you :)
Bro could you please share the source code...
thaks man
Hey Chris...Thanks so much for this. Can you please also do a video on validating the Old Password. I need this real urgently so if you can get it up as soon as possible, I will much appreciate it. Thanks.