SVAKODNEVNICA

moja svakodnevnica i programiranje

  • Increase font size
  • Default font size
  • Decrease font size
Welcome, Guest
Username Password: Remember me

How to made password hash like ASP.NET membership
(1 viewing) (1) Guest
ASP.NET
  • Page:
  • 1

TOPIC: How to made password hash like ASP.NET membership

How to made password hash like ASP.NET membership 3 years, 1 month ago #4

  • fehim
  • OFFLINE
  • Administrator
  • Posts: 2
  • Karma: 0
I have spent two or three hours investigating how can I manualy create SHA1 hashed password like ASP.NET SQL memebership provider do. This is how they do that:
public string EncodePassword2(string pass, string salt)
    {
      byte[] bIn = System.Text.Encoding.Unicode.GetBytes(pass);
      byte[] bSalt = Convert.FromBase64String(salt);
      byte[] bAll = new byte[bSalt.Length + bIn.Length];
      byte[] bRet = null;

      System.Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
      System.Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
      
      System.Security.Cryptography.HashAlgorithm s =
        System.Security.Cryptography.HashAlgorithm.Create("SHA1");
      bRet = s.ComputeHash(bAll);
      
      return Convert.ToBase64String(bRet);
    }


Next question is how they validate user password becaouse they must have SALT from database ?


Few notes about passwordFormat:

Specifies the password format. The SQL Server membership provider supports Clear, Encrypted, and Hashed password formats. Clear passwords are stored in plain text, which improves the performance of password storage and retrieval, but is less secure because passwords are easily read if your SQL Server database is compromised. Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. This requires additional processing for password storage and retrieval, but is more secure because passwords are not easily deciphered if the SQL Server database is compromised. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved.


Enjoy...
Last Edit: 3 years, 1 month ago by fehim.
The topic has been locked.

Re: How to made password hash like ASP.NET membership 3 years, 1 month ago #5

  • Solutin for validation
SQL asp.net membership provider call stored procedure dbo.aspnet_Membership_GetPasswordWithFormat which return password format, hashed password, salt and few other params.

SqlCommand    cmd     = new SqlCommand( "dbo.aspnet_Membership_GetPasswordWithFormat", connection );

                    cmd.CommandTimeout = CommandTimeout;
                    cmd.CommandType = CommandType.StoredProcedure;
                    cmd.Parameters.Add(CreateInputParam( "@ApplicationName", SqlDbType.NVarChar, ApplicationName ) );
                    cmd.Parameters.Add(CreateInputParam( "@UserName", SqlDbType.NVarChar, username ) );
                    cmd.Parameters.Add(CreateInputParam("@UpdateLastLoginActivityDate", SqlDbType.Bit, updateLastLoginActivityDate));
                    cmd.Parameters.Add(CreateInputParam("@CurrentTimeUtc", SqlDbType.DateTime, DateTime.UtcNow));


I'm not so happy with that... Is it possible create password hash on database side ?

If you know password salt, hash password and algorithm for generating hash, then hacker is able to create program on his machine to brake id down user password!
The topic has been locked.

Re: How to made password hash like ASP.NET membership 3 years, 1 month ago #6

  • NET 4
The topic has been locked.

Re: How to made password hash like ASP.NET membership 3 years, 1 month ago #7

  • SQL server hash asp.net password ..
Below is example how to create asp.net password hash function inside SQL server:

CREATE FUNCTION [dbo].[adm_Base64Encode] (@data VARBINARY(max)) RETURNS VARCHAR(max)
WITH SCHEMABINDING, RETURNS NULL ON NULL INPUT
BEGIN
  RETURN ( SELECT [text()] = @data FOR XML PATH('')  )
END
go
 
CREATE FUNCTION [dbo].[adm_Base64Decode] (@base64_text VARCHAR(max)) RETURNS VARBINARY(max)
WITH SCHEMABINDING, RETURNS NULL ON NULL INPUT
BEGIN
  DECLARE @x XML; 
  SET @x = @base64_text
  RETURN @x.value('(/)[1]', 'VARBINARY(max)')
END
go

create procedure adm_HashPwd(
  @UserId uniqueidentifier
 ,@password nvarchar(50)
 ,@hash nvarchar(150) out
)
as
  declare @lv_salt nvarchar(128);
  declare @lv_pwdfmt int;
  
  select @lv_salt = m.PasswordSalt, @lv_pwdfmt = m.PasswordFormat   
  from aspnet_Membership m
  where UserId = @UserId;
  
  if @@ROWCOUNT < 1 
  begin
    raiserror('User does not exist!',16,1);
    return;
  end;
  
  declare @encoded_hash varbinary(max);
  set @encoded_hash = [dbo].adm_Base64Decode(@lv_salt);
  declare @encoded_pwd varbinary(max);
  set @encoded_pwd = CAST(@password as varbinary(max) );
  
  set @hash = [dbo].adm_Base64Encode( HASHBYTES('SHA1',@encoded_hash+@encoded_pwd) );
go



It work's for me ....
The topic has been locked.

Re: How to made password hash like ASP.NET membership 3 years, 1 month ago #8

  • SQL Server
You can find additional informations on this post too:

forums.asp.net/t/1019654.aspx/1?how+to+u...rectly+through+T+SQL
The topic has been locked.
  • Page:
  • 1
Time to create page: 0.31 seconds