It is the simple method to verify the password matches. First password is stored into a password1 variable and confirm password is stored in password2 variable. Then check if both variable value is equal then password match otherwise password does not match. Below is the implementation of above approach. Auditing Users Password Strength in AD The complexity of a user password in Active Directory domain is one of the key security elements both for user data, and the entire domain. As a rule, users prefer to use weak, easy-to-remember passwords.
Previously, I had written a few things for.NET framework about how to implement basic security concepts on your applications that are working in.NET environment. In this post I want to walk you though implementing the same security concepts in your applications that are based on the.NET Core framework. As always there will be two topics that I will be covering in this post of mine.NET Core is different in this matter as compared to.NET framework, one of the major reasons being that there is no “SHA256Managed” (or any other Managed types in the framework). So the framework is different in this manner. This post will cover the basic concepts and will help you to understand and get started using the methodologies for security.Figure 1: Data security in your applications is the first step for giving clients confidenceFirst of all, I will be covering the parts of hashing, and I will give you a few of my tips and considerations for hashing the passwords using.NET Core in your applications.
Before I started writing this post, I remembered when I was working in Mono Project and the platform was very easy to write for. I was using Xamarin Studio as IDE and the Mono was the runtime being used at that time, in my previous guide the focus was on the Mono programming on Ubuntu, whereas in this post I will be covering the concepts of the same but with.NET Core.NET Core is really beautiful, although it is not complete, yet it is very powerful. I am using the following tools at the moment so in case you want to set up your own programming environment to match mine, you can use them.
IDE:.: For C# support and debugging. Terminal: Ubuntu provides a native terminal that I am using to execute the command to run the project after I have done working with my source code.Figure 2: Visual Studio being used for C# programming using.NET CoreYou can download and install these packages on your own system. If you are using Windows, I am unaware as to what Visual Studio Code has to offer, because since the start of Visual Studio Code I have just used it on Ubuntu and on Windows systems my preference is always Visual Studio itself. Also, I am going to use the same project that I had created and I am going to start from there, A.So, let’s get started,Hashing passwordsEven before starting to write this, I am considering the thunderstorm of comments that would hit me if I were to make a small and simple mistake in the points here, such as:.
Bad practices of hashing. Not using the salts. Bad functions to be used. Etc.However, I will break the process down since it is just a small program that does the job and there is exaggeration here. Instead of talking about that, I will walk you through many concepts of hashing and how hackers may try to get the passwords where hashing helps you out.Until now I have written 3 to 4 articles about hashing, and I can’t find any difference in any of these codes that I have been writing. The common difference is that there are no extra managed code things around.NET Core removed everything redundant in the code samples.
So we are left with the simple ones now that we would be using.What I did was that I just created a simple minimal block of the SHA256 algorithm that would hash the string text that I am going to pass. I used the following code. The result of this code is,Figure 3: Result of the above shown code in C# being executed in Ubuntu terminal on.NET Core runtimeThere is one another constraint here, “ Encoding.UTF8“, if you use another encoding for characters then the chances are your hashed string would be different. You can try out other flavors of the character encodings such as:. ASCII. UTF-8. Unicode (.NET framework takes Unicode encoding as UTF-16 LE).
Rest of the encodings of Unicode etc.The reason is that they provide a different byte ordering and this hashing function works on the bytes of the data that are passed.Tips and considerationsThere are generally two namespaces, one of them is the very old familiar.NET’s namespace, System.Security.Cryptography, whereas another one is Microsoft.AspNet.Cryptography which is a part of ASP.NET Core and is to be released. Anyways, here are a few of the tips that you should consider before handling the passwords.Passwords are fragile-handle with careI can’t think of any online service, offline privacy application, API hosts where passwords are not handled with care. If there is, I would still act as I never knew of it.
![Matching Matching](https://codepen.io/julianasobreira/pen/xVpxoO/image/large.png)
Passwords must always be hashed before saving in the database. Hashing is done because hashing algorithms are created with one thing in mind, that they are hard (if not impossible) to convert back to plain-text passwords. This makes it harder for the hackers to get the passwords back in real form.
To explain this fact, I converted the code into a functional one and printed the hash with a little change in the text. Remember: For online applications, do not increase the iteration count. You would indirectly cause a bad UX for the users who are waiting for a response.Add salt to the recipeI wonder who started the terminology of salt in cryptography. He must have a good taste in computers, I’d say. I did cover most of the parts of adding the salts in the article that I have added in the references section, please refer to that article. However, I would like to share the code that I have used to generate a random salt for the password. Adding the salt would help you randomize the password itself.
Test: We saw that unsalted passwords are easy to be reverse looked up. In this, case, we salted the password and we are going to test the last of our password to see if there is a match.Figure 7: Password not foundGreat, isn’t it? The password was not matched against any case in the password dictionary. This gives us an extra layer of security because hacker won’t be able to convert the password back to their original form by using a reverse look up table.Using salt: the good wayThere is no good way of using the salt, there is no standard to be followed while adding the salt to the password. It is just an extra “random” string to be added to your password strings before they are hashed. There are many common ways, some add salt to the end, some prepend it some do the both.Do as you please.
There are however a few tips that you should keep in mind while salting the passwords. Do not reuse the salts. Do not try to extract the salts from the passwords or usernames. Use suitable salt size; 128-bit?. Use random salt.You should consider using a good library for generating the salts.
Store the salts and passwords together. Random salts won’t be created again (in a near future).References.Final wordsIn this post, I demonstrated the hashing techniques in.NET Core, although the procedure is similar and very much alike. There are a few differences that the objects are not similar.
The object instantiation is not similar and in my own opinion, this is also going to change soon.I gave you a good overview of password hashing, how to crack them (actually, how an attacker may crack them) and how you can add an extra layer of security. Besides, you should consider adding more security protocols to your own application to secure it from other hacking techniques too.