Hash passwords with slow equals | C# Online Compiler

Hash passwords with slow equals by Pituach.dev

// All rights reserved, pituach.dev
using System;
using System.Security.Cryptography;
using Microsoft.AspNetCore.Cryptography.KeyDerivation;

public class Program
{
	// Gets a securely randomized salt for us.
	public static byte[] RandomSalt()
	{
		// We securly randomize a long enough salt, 16 bytes should suffice.
		return RandomNumberGenerator.GetBytes(16);
	}

	// Computes the hash for the given password.
	public static byte[] ComputeHash(string password, byte[] salt, int iterations)
	{
		// We compute the hash with the given variables, we take 36 bytes from the result, this should suffice.
		return KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, iterations, 36);
	}
	
	// Slow compares the two given arrays.
	public static bool SlowEquals(byte[] a, byte[] b)
	{
		uint diff = (uint)a.Length ^ (uint)b.Length;
		for (int i = 0; i < a.Length && i < b.Length; i++)
			diff |= (uint)(a[i] ^ b[i]);
		return diff == 0;
	}
	
	// Whether the given password is hashed exactly to the given saved hash.
	public static bool ComparePassword(string password, byte[] salt, int iterations, byte[] savedHash)
	{
		return SlowEquals(ComputeHash(password, salt, iterations), savedHash);
	}

	public static void Main()
	{
		// Original password should be received from the client, either when setting a password or authenticating the user (comparing the password with the stored hash).
		string originalPassword = "P@ssw0rd1";

		// Salt should be calculated once when password is set, and saved to the DB. When authenticating the user - the salt should be pulled from the DB for the user.
		byte[] salt = RandomSalt();

		// Iterations should be a program constant/parameter and should be high enough while still being useful - in PBKDF2, at least 200000 (as of 2023).
		int iterations = 200000;

		// Now we compute the hash for the given password. When setting the password - we will store the computed hash, with the salt and iterations in the DB.
		byte[] computedHash = ComputeHash(originalPassword, salt, iterations);
		
		// We will also test a test password.
		string testPassword = "1dr0wss@P";

		Console.WriteLine("Checking password {0}, is it valid? {1}", originalPassword, ComparePassword(originalPassword, salt, iterations, computedHash));
		Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword, ComparePassword(testPassword, salt, iterations, computedHash));
	}
}

​x
 
// All rights reserved, pituach.dev
using System;
using System.Security.Cryptography;
using Microsoft.AspNetCore.Cryptography.KeyDerivation;
​
public class Program
{
    // Gets a securely randomized salt for us.
    public static byte[] RandomSalt()
    {
        // We securly randomize a long enough salt, 16 bytes should suffice.
        return RandomNumberGenerator.GetBytes(16);
    }
​
    // Computes the hash for the given password.
    public static byte[] ComputeHash(string password, byte[] salt, int iterations)
    {
        // We compute the hash with the given variables, we take 36 bytes from the result, this should suffice.
        return KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, iterations, 36);
    }
    
    // Slow compares the two given arrays.
    public static bool SlowEquals(byte[] a, byte[] b)
    {
        uint diff = (uint)a.Length ^ (uint)b.Length;
        for (int i = 0; i < a.Length && i < b.Length; i++)
            diff |= (uint)(a[i] ^ b[i]);
        return diff == 0;
    }
    
    // Whether the given password is hashed exactly to the given saved hash.
    public static bool ComparePassword(string password, byte[] salt, int iterations, byte[] savedHash)
    {
        return SlowEquals(ComputeHash(password, salt, iterations), savedHash);
    }
​
    public static void Main()
    {
        // Original password should be received from the client, either when setting a password or authenticating the user (comparing the password with the stored hash).
        string originalPassword = "P@ssw0rd1";
​
        // Salt should be calculated once when password is set, and saved to the DB. When authenticating the user - the salt should be pulled from the DB for the user.
        byte[] salt = RandomSalt();
​
        // Iterations should be a program constant/parameter and should be high enough while still being useful - in PBKDF2, at least 200000 (as of 2023).
        int iterations = 200000;
​
        // Now we compute the hash for the given password. When setting the password - we will store the computed hash, with the salt and iterations in the DB.
        byte[] computedHash = ComputeHash(originalPassword, salt, iterations);
        
        // We will also test a test password.
        string testPassword = "1dr0wss@P";
​
        Console.WriteLine("Checking password {0}, is it valid? {1}", originalPassword, ComparePassword(originalPassword, salt, iterations, computedHash));
        Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword, ComparePassword(testPassword, salt, iterations, computedHash));
    }
}

Checking password P@ssw0rd1, is it valid? True
Checking password 1dr0wss@P, is it valid? False

Cached Result
Last Run:	11:59:06 am
Compile:	0.008s
Execute:	0.57s
Memory:	9.59Mb
CPU:	0.578s

View IL Code