C#: comparing the password hash with the user input different sizes , when Authenticating the user

3
votes

I have made a user registration where I have salted the user password and hashed it using SHA256. later, when the user needs to log into my system I need to have his password salted and hashed, so I : 1.retrieved the salt "string" from Database 2. converted the salt into bytes 3. created a new byte[] = [inputPassword.length + salt.length] 4. and hashed that.

now the new hash is shorter than Original hash ...(using same hashing functions)

given these information what do you think the problem might be ... is storing the salt as CHAR on my database wrong , if yes what or how should I save it ?

Note: both hashes are compared on byte level. Note: all user information are stored in the database password and salt as CHAR

thank you in advance

2
c#authenticationhashpasswordssalt
Could you provide us with your code? And perhaps some examples, both generated from your code and the stored database value?sisve
the code is too large , plus its on a different machine :( but ... appears that the salt is the same when retrieved from the Database but the problem is when its converted to bytes I use 'Encoding.Unicode.GetBytes(salt);' and seems this makes a problem ... as stings both look just fine ... the problem is raised when converting the Salt into bytes ...Amait

2 Answers

3
votes

You could generate a salt from a Guid converted into a base 64 string, then save that in the database as char. I use nvarchar to maximise my options using a .NET string.

Then you can implement something like this for generating the original password hash, and comparing the hash when the user logs in:

    public static byte[] GetHash(string password, string salt)
    {
        byte[] unhashedBytes = Encoding.Unicode.GetBytes(String.Concat(salt, password));

        SHA256Managed sha256 = new SHA256Managed();
        byte[] hashedBytes = sha256.ComputeHash(unhashedBytes);

        return hashedBytes;
    }

    public static bool CompareHash(string attemptedPassword, byte[] hash, string salt)
    {
        string base64Hash = Convert.ToBase64String(hash);
        string base64AttemptedHash = Convert.ToBase64String(GetHash(attemptedPassword, salt));

        return base64Hash == base64AttemptedHash;
    }
1
votes

Usually hash functions return fixed size hash, so if you tell that new hash is shorter I think problem might be in your hash function.