Hash passwords with known typos | C# Online Compiler

Hash passwords with known typos by Pituach.dev

// All rights reserved, pituach.dev
using System;
using System.Linq;
using System.Security.Cryptography;
using Microsoft.AspNetCore.Cryptography.KeyDerivation;

public class Program
{
	// Gets a securely randomized salt for us.
	public static byte[] RandomSalt()
	{
		// We securly randomize a long enough salt, 16 bytes should suffice.
		return RandomNumberGenerator.GetBytes(16);
	}

	// Computes the hash for the given password.
	public static byte[] ComputeHash(string password, byte[] salt, int iterations)
	{
		// We compute the hash with the given variables, we take 36 bytes from the result, this should suffice.
		return KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, iterations, 36);
	}
	
	// Slow compares the two given arrays.
	public static bool SlowEquals(byte[] a, byte[] b)
	{
		uint diff = (uint)a.Length ^ (uint)b.Length;
		for (int i = 0; i < a.Length && i < b.Length; i++)
			diff |= (uint)(a[i] ^ b[i]);
		return diff == 0;
	}
	
	// Whether the given password is hashed correctly to the given saved hash.
	public static bool ComparePassword(string password, byte[] salt, int iterations, byte[] savedHash)
	{
		// Compute the hash for the given password.
		var computedHash    	= ComputeHash(password, salt, iterations);

		// Check that the given password is exactly the stored password.
		if (SlowEquals(savedHash, computedHash))
		{
			return true;
		}

		// Check if the given password has an extra char at the start.
		computedHash        	= ComputeHash(password.Substring(1), salt, iterations);

		if (SlowEquals(savedHash, computedHash))
		{
			return true;
		}

		// Check if the given password has an extra char at the end.
		computedHash        	= ComputeHash(password.Substring(0, password.Length - 1), salt, iterations);

		if (SlowEquals(savedHash, computedHash))
		{
			return true;
		}

		// If the first letter is upper case, check if the given password with first letter inverted case is the stored password.
		if (char.IsUpper(password[0]))
		{
			computedHash    	= ComputeHash(char.ToLower(password[0]) + password.Substring(1), salt, iterations);

			if (SlowEquals(savedHash, computedHash))
			{
				return true;
			}
		}

		// Check if the password has inverted case (e.g. using Caps-Lock).
		var invertCasePassword  = new string(password.Select(c => char.IsLetter(c) ? (char.IsUpper(c) ? char.ToLower(c) : char.ToUpper(c)) : c).ToArray());
		computedHash        	= ComputeHash(invertCasePassword, salt, iterations);

		if (SlowEquals(savedHash, computedHash))
		{
			return true;
		}

		// If no check succeeded, the password is incorrect.
		return false;
	}

	public static void Main()
	{
		// Original password should be received from the client, either when setting a password or authenticating the user (comparing the password with the stored hash).
		string originalPassword = "P@ssw0rd1";

		// Salt should be calculated once when password is set, and saved to the DB. When authenticating the user - the salt should be pulled from the DB for the user.
		byte[] salt = RandomSalt();

		// Iterations should be a program constant/parameter and should be high enough while still being useful - in PBKDF2, at least 200000 (as of 2023).
		int iterations = 200000;

		// Now we compute the hash for the given password. When setting the password - we will store the computed hash, with the salt and iterations in the DB.
		byte[] computedHash = ComputeHash(originalPassword, salt, iterations);
		
		// We will also test a test password.
		string testPassword1	= "1dr0wss@P";
		string testPassword2 	= "P@ssw0rd11";
		string testPassword3 	= "PP@ssw0rd1";
		string testPassword4 	= "p@SSW0RD1";
		string testPassword5 	= "P@ssw0rd5";
		string testPassword6 	= "P@ssw0rd123";

		Console.WriteLine("Checking password {0}, is it valid? {1}", originalPassword, ComparePassword(originalPassword, salt, iterations, computedHash));
		Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword1, ComparePassword(testPassword1, salt, iterations, computedHash));
		Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword2, ComparePassword(testPassword2, salt, iterations, computedHash));
		Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword3, ComparePassword(testPassword3, salt, iterations, computedHash));
		Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword4, ComparePassword(testPassword4, salt, iterations, computedHash));
		Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword5, ComparePassword(testPassword5, salt, iterations, computedHash));
		Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword6, ComparePassword(testPassword6, salt, iterations, computedHash));
	}
}

​x
 
// All rights reserved, pituach.dev
using System;
using System.Linq;
using System.Security.Cryptography;
using Microsoft.AspNetCore.Cryptography.KeyDerivation;
​
public class Program
{
    // Gets a securely randomized salt for us.
    public static byte[] RandomSalt()
    {
        // We securly randomize a long enough salt, 16 bytes should suffice.
        return RandomNumberGenerator.GetBytes(16);
    }
​
    // Computes the hash for the given password.
    public static byte[] ComputeHash(string password, byte[] salt, int iterations)
    {
        // We compute the hash with the given variables, we take 36 bytes from the result, this should suffice.
        return KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, iterations, 36);
    }
    
    // Slow compares the two given arrays.
    public static bool SlowEquals(byte[] a, byte[] b)
    {
        uint diff = (uint)a.Length ^ (uint)b.Length;
        for (int i = 0; i < a.Length && i < b.Length; i++)
            diff |= (uint)(a[i] ^ b[i]);
        return diff == 0;
    }
    
    // Whether the given password is hashed correctly to the given saved hash.
    public static bool ComparePassword(string password, byte[] salt, int iterations, byte[] savedHash)
    {
        // Compute the hash for the given password.
        var computedHash        = ComputeHash(password, salt, iterations);
​
        // Check that the given password is exactly the stored password.
        if (SlowEquals(savedHash, computedHash))
        {
            return true;
        }
​
        // Check if the given password has an extra char at the start.
        computedHash            = ComputeHash(password.Substring(1), salt, iterations);
​
        if (SlowEquals(savedHash, computedHash))
        {
            return true;
        }
​
        // Check if the given password has an extra char at the end.
        computedHash            = ComputeHash(password.Substring(0, password.Length - 1), salt, iterations);
​
        if (SlowEquals(savedHash, computedHash))
        {
            return true;
        }
​
        // If the first letter is upper case, check if the given password with first letter inverted case is the stored password.
        if (char.IsUpper(password[0]))
        {
            computedHash        = ComputeHash(char.ToLower(password[0]) + password.Substring(1), salt, iterations);
​
            if (SlowEquals(savedHash, computedHash))
            {
                return true;
            }
        }
​
        // Check if the password has inverted case (e.g. using Caps-Lock).
        var invertCasePassword  = new string(password.Select(c => char.IsLetter(c) ? (char.IsUpper(c) ? char.ToLower(c) : char.ToUpper(c)) : c).ToArray());
        computedHash            = ComputeHash(invertCasePassword, salt, iterations);
​
        if (SlowEquals(savedHash, computedHash))
        {
            return true;
        }
​
        // If no check succeeded, the password is incorrect.
        return false;
    }
​
    public static void Main()
    {
        // Original password should be received from the client, either when setting a password or authenticating the user (comparing the password with the stored hash).
        string originalPassword = "P@ssw0rd1";
​
        // Salt should be calculated once when password is set, and saved to the DB. When authenticating the user - the salt should be pulled from the DB for the user.
        byte[] salt = RandomSalt();
​
        // Iterations should be a program constant/parameter and should be high enough while still being useful - in PBKDF2, at least 200000 (as of 2023).
        int iterations = 200000;
​
        // Now we compute the hash for the given password. When setting the password - we will store the computed hash, with the salt and iterations in the DB.
        byte[] computedHash = ComputeHash(originalPassword, salt, iterations);
        
        // We will also test a test password.
        string testPassword1    = "1dr0wss@P";
        string testPassword2    = "P@ssw0rd11";
        string testPassword3    = "PP@ssw0rd1";
        string testPassword4    = "p@SSW0RD1";
        string testPassword5    = "P@ssw0rd5";
        string testPassword6    = "P@ssw0rd123";
​
        Console.WriteLine("Checking password {0}, is it valid? {1}", originalPassword, ComparePassword(originalPassword, salt, iterations, computedHash));
        Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword1, ComparePassword(testPassword1, salt, iterations, computedHash));
        Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword2, ComparePassword(testPassword2, salt, iterations, computedHash));
        Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword3, ComparePassword(testPassword3, salt, iterations, computedHash));
        Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword4, ComparePassword(testPassword4, salt, iterations, computedHash));
        Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword5, ComparePassword(testPassword5, salt, iterations, computedHash));
        Console.WriteLine("Checking password {0}, is it valid? {1}", testPassword6, ComparePassword(testPassword6, salt, iterations, computedHash));
    }
}

View IL Code