Vb.net – Using SHA256 + SHA512 hash for password

passwordsSecurityvb.net

I'm creating a method that I will use to hash password to store in a database. I would like to seek advice if my methods in hashing is sufficient or overkill for the task.

    Dim result As Byte()
    Dim mixer As String

    Try
        Dim sha As New SHA512CryptoServiceProvider

        mixer = txt_salt.Text.ToUpper + txt_pass.Text.Trim
        result = sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(mixer))

        txt_sha.Text = Convert.ToBase64String(result)
    Catch ex As Exception
        MsgBox(ex.ToString)
    End Try

Thanks.

Best Answer

It is insufficient.

No salt:
- vulnerable to rainbow tables (if hashes are leaked)
- solution: use random salt in large domain
Hashes are too fast:
- vulnerable to brute-force (if hashes are leaked)
- most hashing algorithms are designed to be fast
- solution: bcrypt, scrypt or multiple (many!!!) rounds
No HMAC:
- does not have additional "server secret" (stored outside db!)
- solution: hmac-sha1, etc.
Not part of a well-tested library/framework for authentication:
- this is a "roll your own" implementation
- solution: don't reinvent a wheel, unless it's one of these or these :)

As far as "bits" go, SHA1 is perfectly fine with 160 (but it is not fine [by itself] for other reasons). Doing both SHA256+SH512 just complicates the matter for zero gain. (Actually, it is a very slight net loss due to the extra storage requirements.)

I suggest using an existing library/system, unless this is an academic project :)

Happy coding.

Related Solutions

Disable browser ‘Save Password’ functionality

I'm not sure if it'll work in all browsers but you should try setting autocomplete="off" on the form.

<form id="loginForm" action="login.cgi" method="post" autocomplete="off">

The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value "off".

From https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

Some minor research shows that this works in IE to but I'll leave no guarantees ;)

@Joseph: If it's a strict requirement to pass XHTML validation with the actual markup (don't know why it would be though) you could theoretically add this attribute with javascript afterwards but then users with js disabled (probably a neglectable amount of your userbase or zero if your site requires js) will still have their passwords saved.

Example with jQuery:

$('#loginForm').attr('autocomplete', 'off');

Unix – How to remove the passphrase for the SSH key without having to create a new key

Short answer:

$ ssh-keygen -p

This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).

If you would like to do it all on one line without prompts do:

$ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

Important: Beware that when executing commands they will typically be logged in your ~/.bash_history file (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.

Notice though that you can still use -f keyfile without having to specify -P nor -N, and that the keyfile defaults to ~/.ssh/id_rsa, so in many cases, it's not even needed.

You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.

Best Answer

Related Solutions

Disable browser ‘Save Password’ functionality

Unix – How to remove the passphrase for the SSH key without having to create a new key

Related Topic