Password hashing in a C# Windows app, absent ASP.NET's FormsAuthentication?

c# .net hash passwords

12,458

Solution 1

using System.Security.Cryptography;

public static string EncodePasswordToBase64(string password)
{  byte[] bytes   = Encoding.Unicode.GetBytes(password);
   byte[] inArray = HashAlgorithm.Create("SHA1").ComputeHash(bytes);
   return Convert.ToBase64String(inArray);
}

Solution 2

The FormsAuthentication is defined in the System.Web.Security namespace which is in the System.Web.dll assembly.

Just because you are writing a WinForm app does not stop you from using that namespace or referencing that assembly; they are just not done by default as they would be for a WebForms app.

Solution 3

If you are using the hashing for user credentials I suggest you do more than just hashing, you ideally want key stretching as well.

Here is an API to do what you want in a secure fashion:

https://sourceforge.net/projects/pwdtknet/

Solution 4

Could you not use the BitConverter function instead of the "x2" loop?

e.g.

return BitConverter.ToString(hash).Replace("-", "");

Solution 5

I think it should work. All you need to do is reference System.Web.Security in your code (and add it as a reference in your Visual Studio Project).

View more solutions

12,458

Author by

Admin

Updated on July 27, 2022

Comments

Admin almost 2 years

My Win form app doesn't seem to like FormsAuthentication, I'm totally new to hashing so any help to convert this would be very welcome. Thanks.

//Write hash
protected TextBox tbPassword;
protected Literal liHashedPassword;

{
  string strHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(tbPassword.Text, "sha1");
  liHashedPassword.Text = "Hashed Password is: " + strHashedPassword;    
}

//read hash
string strUserInputtedHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile( tbPassword.Text, "sha1");
if(strUserInputtedHashedPassword == GetUsersHashedPasswordUsingUserName(tbUserName.Text))
{
  // sign-in successful
}
else
{
  // sign-in failed
}

Andrew Shooner over 15 years

Other than the obvious "it's not meant for WinForms apps", is there a reason why including System.Web.* is not such a good idea?
Kushal Shah about 15 years

Reminds me of a post by Rick Strahl at west-wind.com/Weblog/posts/617930.aspx 1. It doesn't "feel" right. 2. It forces System.Web into the loaded assebly list of any application consuming the library. 3. It adds 2.5 megs to the memory footprint just for loading it. 4. etc. (out of room)
Dan Esparza almost 14 years

Bear in mind that SHA1 is (apparently) faster, but would be less secure than SHA256. See en.wikipedia.org/wiki/SHA256 for more information
SLaks over 11 years

@JarrodDixon: On the contrary. For passwords, you want a slower hash.
I. J. Kennedy over 11 years

I don't see any source code there. Not sure anyone's going to trust their passwords to a .DLL they don't know anything about.
thashiznets over 10 years

Source is there in the files area in the folder named "source". Source is provided for exactly the reason you describe. here is a link to the source folder sourceforge.net/projects/pwdtknet/files/Source