How to play default password hash generated by asp.net MVC by default

Question

How to play default password hash generated by asp.net MVC by default

I use the default asp.net MVC 4 membership system, and the client needs to send a signature, including its hashed password, for authentication.

I need to hash the password just like a hashed password by the server.

private static bool IsAuthenticated(string hashedPassword, string message, string signature) { if (string.IsNullOrEmpty(hashedPassword)) return false; var verifiedHash = ComputeHash(hashedPassword, message); if (signature != null && signature.Equals(verifiedHash)) return true; return false; }

So, how can I reproduce a hashed password, for example, a saved password in a database?

+4

asp.net asp.net-mvc asp.net-mvc-4 hash asp.net-membership

Gazme Dec 26 '12 at 8:15

source share

4 answers

Esteban elverdin · Answer 1 · 2012-12-30T02:17:48+0000

I'm not sure if I understand your question, but there is no need to compare hashed passwords. Membership already has a method to validate the user, you should just use

 Membership.ValidateUser(username, password)

If you use a membership provider and forms authentication, you can check if the user has already been registered

  User.Identity.IsAuthenticated

phil soady · Answer 2 · 2012-12-30T06:25:30+0000

See the System.Web.Helpers.Crypto Class HashPassword Method. The SimpleMemberShip provider uses this class for cryptographic services.

You can just read the entry from the database :-)

for more information see http://msdn.microsoft.com/en-us/library/system.web.helpers.crypto%28v=vs.111%29.aspx

By the way, do not forget to consider the SALT. Does your process require you to combine Pass and salt before hashing?

MonkeyBonkey · Answer 3 · 2013-01-11T17:52:32+0000

.net The membership provider uses the base64 encoded HMACSHA1 hash. You can recreate the same hash using only client-side javascript. The trick is to have your password and hash key the same, and also use utf-16le encoding. Here the solution uses crypto-js. I don’t know why the crypto-js utf-16le function does not give the same result, so I use a different utf function.

 //not sure why crypt-js utf16LE function doesn't give the same result //words = CryptoJS.enc.Utf16LE.parse("test"); //utf16 = CryptoJS.enc.Utf16LE.stringify("test"); function str2rstr_utf16le(input) { var output = [], i = 0, l = input.length; for (; l > i; ++i) { output[i] = String.fromCharCode( input.charCodeAt(i) & 0xFF, (input.charCodeAt(i) >>> 8) & 0xFF ); } return output.join(''); } var pwd = str2rstr_utf16le("test"); var hash = CryptoJS.HmacSHA1(pwd, pwd); var encodedPassword = CryptoJS.enc.Base64.stringify(hash);

Doğa gençer · Answer 4 · 2017-06-21T07:42:42+0000

Full method from Crypto.cs @ System.Web.Helpers:

 /// <summary>Returns an RFC 2898 hash value for the specified password.</summary> /// <returns>The hash value for <paramref name="password" /> as a base-64-encoded string.</returns> /// <param name="password">The password to generate a hash value for.</param> /// <exception cref="T:System.ArgumentNullException"> /// <paramref name="password" /> is null.</exception> public static string HashPassword(string password) { if (password == null) throw new ArgumentNullException("password"); byte[] salt; byte[] bytes; using (Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, 16, 1000)) { salt = rfc2898DeriveBytes.Salt; bytes = rfc2898DeriveBytes.GetBytes(32); } byte[] inArray = new byte[49]; Buffer.BlockCopy((Array) salt, 0, (Array) inArray, 1, 16); Buffer.BlockCopy((Array) bytes, 0, (Array) inArray, 17, 32); return Convert.ToBase64String(inArray); }

How to play default password hash generated by asp.net MVC by default

More articles: