public ActionResult Register(string email, string password, string password2) { if (!IsEmailAddress(email)) { return(View(new RegisterVM { ErrorMessage = "You must enter a valid email address" })); } if (email.IsNullOrEmpty() || password.IsNullOrEmpty() || password2.IsNullOrEmpty()) { return(View(new RegisterVM { ErrorMessage = "All fields marked with * are mandatory" })); } if (password != password2) { return(View(new RegisterVM { ErrorMessage = "Passwords do not match" })); } if (!PasswordMeetsPolicy(password, PwdPolicy)) { return(View(new RegisterVM { ErrorMessage = "Password must be at least 6 characters long" })); } var user = userService.GetUser(email); if (user != null) { return(View(new RegisterVM { ErrorMessage = "That email is already taken" })); } var salt = PWDTK.GetRandomSalt(saltSize); var hash = PWDTK.PasswordToHash(salt, password, Configuration.GetHashIterations()); user = new User { UserName = email, Salt = salt, Password = hash, LoginProvider = LoginProvider.Internal }; user.Id = userService.InsertUser(user, () => Redis.AddUser(user)); FormsAuthentication.SetAuthCookie(user.Id.ToString(), createPersistentCookie: true); return(RedirectToAction("Index", "Home")); }
private void CmdGuardar_Click() { try { // tblUser tbluser = _db.tblUsers.Find(_Id); // _db.Entry(tbluser).State = System.Data.Entity.EntityState.Modified; IntPtr passwordBSTR = default(IntPtr); string insecurePassword = ""; passwordBSTR = Marshal.SecureStringToBSTR(Password); insecurePassword = Marshal.PtrToStringBSTR(passwordBSTR); IntPtr passwordVerificationBSTR = default(IntPtr); string insecurePasswordVerification = string.Empty; passwordVerificationBSTR = Marshal.SecureStringToBSTR(PasswordVerification); insecurePasswordVerification = Marshal.PtrToStringBSTR(passwordVerificationBSTR); if (!insecurePassword.Equals(insecurePasswordVerification)) { throw new Exception("Error con el Password"); } //Hash password if (!PasswordMeetsPolicy(insecurePassword, PwdPolicy)) { return; } _salt = PWDTK.GetRandomSalt(saltSize); string salt = PWDTK.GetSaltHexString(_salt); _hash = PWDTK.PasswordToHash(_salt, insecurePassword, iterations); var hashedPassword = PWDTK.HashBytesToHexString(_hash); using (SqlExcuteCommand exe = new SqlExcuteCommand() { DBCnnStr = DBEndososCnnStr }) { exe.MyUpdateUser(_Id, hashedPassword, salt); } // tbluser.SecurityStamp = salt; // tbluser.PasswordHash = hashedPassword; //_db.SaveChanges(); MessageBox.Show("Dones...", "Done", MessageBoxButton.OK, MessageBoxImage.Information); CmdSalir_Click(); } catch (Exception ex) { MethodBase site = ex.TargetSite; MessageBox.Show(ex.Message, site.Name, MessageBoxButton.OK, MessageBoxImage.Error); } }
public bool HashGeneratedPassword(string password) { try { Salt = PWDTK.GetRandomSalt(saltSize); Hash = PWDTK.PasswordToHash(Salt, password, iterations); return(true); } catch { return(false); } }
public bool HashPassword(string password) { //A check to make sure the supplied password meets our defined password //policy before using CPU resources to calculate hash, this step is optional if (PasswordMeetsPolicy(password, PwdPolicy)) { //Get a random salt Salt = PWDTK.GetRandomSalt(saltSize); //Generate the hash value Hash = PWDTK.PasswordToHash(Salt, password, iterations); return(true); } return(false); }
private void GetHashButton_Click(object sender, RoutedEventArgs e) { if (!PasswordMeetsPolicy(PasswordTextBox.Password, PwdPolicy)) { return; } //Get a random salt _salt = PWDTK.GetRandomSalt(saltSize); //Generate the hash value _hash = PWDTK.PasswordToHash(_salt, PasswordTextBox.Password, iterations); //store as a minimum salt, hash and the userID in the database now, I would also recomend storing iteration count as this will likely change in the future as hardware computes faster and so you may need to adjust iterations in the future CompareHashButton.IsEnabled = true; MessageBox.Show("Users Password Hash: " + PWDTK.HashBytesToHexString(_hash)); MessageBox.Show("Hash stored, now try changing the text in the password field and hit the \"Compare\" button"); }
public ActionResult ResetPassword(string guid, string password, string passwordConfirmed) { if (password.IsNullOrEmpty() || passwordConfirmed.IsNullOrEmpty()) { TempData["message"] = "Password can not be empty"; return(View()); } if (password != passwordConfirmed) { TempData["message"] = "Passwords must match"; return(View()); } if (!PasswordMeetsPolicy(password, PwdPolicy)) { TempData["message"] = "Password must be at least 6 characters long"; return(View()); } var user = userService.GetUserByGuid(guid); if (user == null) { TempData["message"] = "We couldn't find that user!"; return(View()); } var salt = PWDTK.GetRandomSalt(saltSize); var hash = PWDTK.PasswordToHash(salt, password, Configuration.GetHashIterations()); userService.UpdateUserPassword(user.Id, salt, hash); TempData["message"] = "ok"; return(View()); }
private void Guardar_Click() { try { string areasDeAcceso = string.Empty; foreach (string s in _AreasDeAcceso) { areasDeAcceso += s; } switch (_Operation) { case 1: { //Anadir IntPtr passwordBSTR = default(IntPtr); string insecurePassword = ""; passwordBSTR = Marshal.SecureStringToBSTR(Password); insecurePassword = Marshal.PtrToStringBSTR(passwordBSTR); IntPtr passwordVerificationBSTR = default(IntPtr); string insecurePasswordVerification = string.Empty; passwordVerificationBSTR = Marshal.SecureStringToBSTR(PasswordVerification); insecurePasswordVerification = Marshal.PtrToStringBSTR(passwordVerificationBSTR); if (!insecurePassword.Equals(insecurePasswordVerification)) { throw new Exception("Error con el Password"); } //Policy if (!userMeetsPolicy(CbUser_Text, UserPolicy)) { return; } if (!PasswordMeetsPolicy(insecurePassword, PwdPolicy)) { return; } //Hash password _salt = PWDTK.GetRandomSalt(saltSize); string salt = PWDTK.GetSaltHexString(_salt); _hash = PWDTK.PasswordToHash(_salt, insecurePassword, iterations); var hashedPassword = PWDTK.HashBytesToHexString(_hash); List <tblUser> u = new List <tblUser> { new tblUser { UserId = System.Guid.NewGuid(), UserName = CbUser_Text, PasswordHash = hashedPassword, SecurityStamp = salt, Email = CbUser_Text + "@jolpr.com", AreasDeAcceso = areasDeAcceso } }; using (SqlExcuteCommand exe = new SqlExcuteCommand() { DBCnnStr = DBEndososCnnStr }) { exe.MyInsertUsers(u[0].UserId, u[0].UserName, u[0].PasswordHash, u[0].SecurityStamp, u[0].Email, u[0].AreasDeAcceso); } MyRefresh(); // u.ForEach(m => _db.tblUsers.Add(m)); // _db.SaveChanges(); } break; case 2: //Editar Areas De Acceso { using (SqlExcuteCommand exe = new SqlExcuteCommand() { DBCnnStr = DBEndososCnnStr }) { exe.MyUpdateUser(_Id, areasDeAcceso); } MyRefresh(); // tblUser tbluser = _db.tblUsers.Find(_Id); // _db.Entry(tbluser).State = System.Data.Entity.EntityState.Modified; // // tbluser.AreasDeAcceso = areasDeAcceso; // // _db.SaveChanges(); } break; case 3: //Delete { string msg = "You are about to delete 1 user\r"; msg += "Click yes to permanently delete this user( " + CbUser_Text + " ).\r"; msg += "You won't be able to undo those changes."; var response = MessageBox.Show("!!!" + msg, "Delete...", MessageBoxButton.YesNo, MessageBoxImage.Exclamation); if (response == MessageBoxResult.Yes) { using (SqlExcuteCommand exe = new SqlExcuteCommand() { DBCnnStr = DBEndososCnnStr }) { exe.MyDeleteUsers(_Id); } MyRefresh(); //Users tbluser = _db.tblUsers.Find(_Id); // // //_db.tblUsers.Remove(tbluser); //_db.SaveChanges(); } } break; case 4: //Edit Pass { // tblUser tbluser = _db.tblUsers.Find(_Id); // _db.Entry(tbluser).State = System.Data.Entity.EntityState.Modified; // IntPtr passwordBSTR = default(IntPtr); string insecurePassword = ""; passwordBSTR = Marshal.SecureStringToBSTR(Password); insecurePassword = Marshal.PtrToStringBSTR(passwordBSTR); IntPtr passwordVerificationBSTR = default(IntPtr); string insecurePasswordVerification = string.Empty; passwordVerificationBSTR = Marshal.SecureStringToBSTR(PasswordVerification); insecurePasswordVerification = Marshal.PtrToStringBSTR(passwordVerificationBSTR); if (!insecurePassword.Equals(insecurePasswordVerification)) { throw new Exception("Error con el Password"); } //Policy if (!userMeetsPolicy(CbUser_Text, UserPolicy)) { return; } if (!PasswordMeetsPolicy(insecurePassword, PwdPolicy)) { return; } //Hash password _salt = PWDTK.GetRandomSalt(saltSize); string salt = PWDTK.GetSaltHexString(_salt); _hash = PWDTK.PasswordToHash(_salt, insecurePassword, iterations); var hashedPassword = PWDTK.HashBytesToHexString(_hash); using (SqlExcuteCommand exe = new SqlExcuteCommand() { DBCnnStr = DBEndososCnnStr }) { exe.MyUpdateUser(_Id, hashedPassword, salt); } MyRefresh(); // tbluser.SecurityStamp = salt; // tbluser.PasswordHash = hashedPassword; // // _db.SaveChanges(); } break; } Cancelar_Click(); } catch (Exception ex) { MethodBase site = ex.TargetSite; MessageBox.Show(ex.ToString(), site.Name, MessageBoxButton.OK, MessageBoxImage.Error); } }
/// <summary> /// Gera um salt aleatório e usa para encriptografar a <paramref name="senha"/>. /// </summary> /// <param name="senha">Senha a ser encriptografada.</param> /// <param name="salt">Salt que é gerado. Deve-se guardá-lo no banco.</param> /// <returns>O hash gerado</returns> public static byte[] Encriptar(string senha, out byte[] salt) { salt = PWDTK.GetRandomSalt(); return(PWDTK.PasswordToHash(salt, senha)); }
/* * bool IsUserAlreadyExist() * { * * SqlParameter[] parameters = { * new SqlParameter { ParameterName="UserLogin", DbType= DbType.AnsiString, Size=128, Value= Email.Value.ToString()} * * }; * * string email = SqlApiSqlClient.GetStringRecordValue("SELECT [UserLogin] FROM Users WHERE [UserLogin] = @UserLogin;", parameters, Global.Configuration.DB.GetConnectionStringDBMain()); * * if (!string.IsNullOrEmpty(email)) return true; * else return false; * * } */ //TODO: send confirmation email bool CreateUser() { string salt, encrypass; Byte[] _salt; Byte[] _hash; //This is the password policy that all passwords must adhere to, if the password doesn't meet the policy we save CPU processing time by not even bothering to calculate hash of a clearly incorrect password PWDTK.PasswordPolicy PwdPolicy = new PWDTK.PasswordPolicy(numberUpper, numberNonAlphaNumeric, numberNumeric, minPwdLength, maxPwdLength); //or we can just use the default password policy provided by the API like below //PWDTK.PasswordPolicy PwdPolicy = PWDTK.cDefaultPasswordPolicy; //Get a random salt _salt = PWDTK.GetRandomSalt(saltSize); //Generate the hash value _hash = PWDTK.PasswordToHash(_salt, PasswordReg.Value.ToString(), iterations); encrypass = PWDTK.HashBytesToHexString(_hash); salt = PWDTK.HashBytesToHexString(_salt); // reverse operation PWDTK.HashHexStringToBytes(); SqlParameter[] parameters = { new SqlParameter { ParameterName = "Names", DbType = DbType.AnsiString, Size = 50, Value = Names.Value.ToString() } , new SqlParameter{ ParameterName = "LastName", DbType = DbType.AnsiString, Size = 50, Value = LastName.Value.ToString() } , new SqlParameter{ ParameterName = "Mobile", DbType = DbType.AnsiString, Size = 50, Value = Mobile.Value.ToString() } , new SqlParameter{ ParameterName = "Email", DbType = DbType.AnsiString, Size = 50, Value = Email.Value.ToString() } , new SqlParameter{ ParameterName = "Business", DbType = DbType.AnsiString, Size = 50, Value = Business.Value.ToString() } , new SqlParameter{ ParameterName = "Position", DbType = DbType.AnsiString, Size = 50, Value = Position.Value.ToString() } , new SqlParameter{ ParameterName = "Country", DbType = DbType.AnsiString, Size = 50, Value = Country.Value.ToString() } , new SqlParameter{ ParameterName = "City", DbType = DbType.AnsiString, Size = 50, Value = City.Value.ToString() } , new SqlParameter{ ParameterName = "Telephone", DbType = DbType.AnsiString, Size = 50, Value = Telephone.Value.ToString() } , new SqlParameter{ ParameterName = "Password", DbType = DbType.AnsiString, Size = 1000, Value = encrypass } , new SqlParameter{ ParameterName = "PasswordSalt", DbType = DbType.AnsiString, Size = 1000, Value = salt } }; string tsql = @" SET NOCOUNT OFF; INSERT INTO [CMSUserRegister] ([Names], [LastName], [Mobile], [Email], [Business], [Position], [Country], [City], [Telephone], [RegisterDate], [Password], [PasswordSalt], [LastLogin]) VALUES (@Names, @LastName, @Mobile, @Email, @Business, @Position, @Country, @City, @Telephone, GETDATE(), @Password, @PasswordSalt, GETDATE()); ; "; var sqlserver = new SqlApiSqlClient(); int r = sqlserver.CommandExecuteSqlString(tsql, parameters, Global.Configuration.DB.GetConnectionStringDBMain()); if (r == 1) { return(true); } else { return(false); } }