skip to Main Content

I’m working with C# and ASP.NET Core 7. I’m triying to get the hashed password from my database to verify a login request. The problem is that the value "storedPasswordHash" is always the same no matter the userId is passed.

This method is just for testing and see the passwordhash that is stored with the userid parameter.

private byte[] SeePassword(string userid)
        {
            using (SqlConnection connection = new SqlConnection(ConnectionString))
            {
                connection.Open();
                string selectQuery = "SELECT * FROM Credentials WHERE UserID = @UserID";
                SqlCommand command = new SqlCommand(selectQuery, connection);
                command.Parameters.AddWithValue("@UserID", userid);

                using (SqlDataReader reader = command.ExecuteReader())
                {
                    if (reader.Read())
                    {
                        string storedUserID = reader["UserID"].ToString();

                        string storedPasswordHash = reader["PasswordHash"].ToString();
                        string storedPasswordSalt = reader["PasswordSalt"].ToString();

                        connection.Close();
                        return Encoding.UTF8.GetBytes(storedPasswordHash);
                    }
                    connection.Close();
                    byte[] valor = {0};
                    return valor;
                }
            }
        }

I’m using another method to try the same but with thes userid value, and it works returning the stored ID who is the same to the one given as parameter.

private string SeeUserID(string userid)
        {
            using (SqlConnection connection = new SqlConnection(ConnectionString))
            {
                connection.Open();
                string selectQuery = "SELECT * FROM Credentials WHERE UserID = @UserID";
                SqlCommand command = new SqlCommand(selectQuery, connection);
                command.Parameters.AddWithValue("@UserID", userid);

                using (SqlDataReader reader = command.ExecuteReader())
                {
                    if (reader.Read())
                    {
                        string storedUserID = reader["UserID"].ToString();

                        connection.Close();
                        return (storedUserID);
                    }
                    connection.Close();
                    
                    return "not found";
                }
            }
        }

I’m creating the hash using the following method

private void CreatePasswordHash(string password, out byte[] passwordHash, out byte[] passwordSalt)
        {
            using var hmac = new HMACSHA512();
            passwordSalt = hmac.Key;
            passwordHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(password));

        }

And Here is where new users are added

public async Task<ActionResult<Credential>> Register(CredentialDto request)
        {
            string inputUserId = request.UserId.ToString();
            string inputPassword = request.Password.ToString();
            
            CreatePasswordHash(request.Password, out byte[] passwordHash, out byte[] passwordSalt);
            
            credential.UserId = request.UserId;
            credential.PasswordHash = passwordHash;
            credential.PasswordSalt = passwordSalt;

            _dataBaseContext.Database.OpenConnection();
            _dataBaseContext.Database.ExecuteSqlRaw("SET IDENTITY_INSERT dbo.Credentials ON");
            _dataBaseContext.Credentials.Add(credential);
            _dataBaseContext.SaveChanges();
            _dataBaseContext.Database.ExecuteSqlRaw("SET IDENTITY_INSERT dbo.Credentials OFF");
            _dataBaseContext.Database.CloseConnection();
     
            return Ok(credential);

        }

Thanks in advance

2

Answers


  1. Your code is correct. Just look at Credentials in the database to get PasswordHash values. I guess they are all the same.

    P. S.
    It seems you need to modify:

                credential = new Credential() { UserId = request.UserId,
                    PasswordHash = passwordHash,
                    PasswordSalt = passwordSalt
                };
    
    Login or Signup to reply.
  2. your code is behaving exactly in accordance with the flow of design ASP.NET Core Identity and password hashing

    when using what your code is trying to do as a unit test for user credential encapsulation, that failure to extract the password becomes a false positive

    put another way, why hash the password if you have a use case to view sensitive user detail, you could just violate identity credential storage standards by using plain text or plain encryption methods

    this link should help come to terms with your code design and context for your text
    https://andrewlock.net/exploring-the-asp-net-core-identity-passwordhasher/
    it does say
    "A hash is a one way function, so given the password you can work out the hash, but given the hash you can’t get the original password back. For security reasons, the characteristics of the hash function are important; in particular, the hash function should be relatively costly to compute, so that if your database of password hashes were to be compromised, it would take a long time to crack them"

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search