Updated hashing algorithm

ELYPSIARECORDS · Aug 29, 2017 · 2e2f722 · 2e2f722
1 parent 52a3a5c
commit 2e2f722
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 14 deletions.
diff --git a/src/Pages/Login.cshtml.cs b/src/Pages/Login.cshtml.cs
@@ -1,5 +1,6 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Cryptography.KeyDerivation;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.Extensions.Configuration;
 using System;
@@ -58,16 +59,18 @@ private void RedirectFromLogin(string query = "")
 
         private bool VerifyHashedPassword(string password)
         {
-            byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
             byte[] saltBytes = Encoding.UTF8.GetBytes(_config["user:salt"]);
-            byte[] saltedValue = passwordBytes.Concat(saltBytes).ToArray();
 
-            using (var sha = new SHA256Managed())
-            {
-                byte[] hash = sha.ComputeHash(saltedValue);
-                var hashText = BitConverter.ToString(hash).Replace("-", string.Empty);
-                return hashText == _config["user:password"];
-            }
+            byte[] hashBytes = KeyDerivation.Pbkdf2(
+                password: password,
+                salt: saltBytes,
+                prf: KeyDerivationPrf.HMACSHA1,
+                iterationCount: 1000,
+                numBytesRequested: 256 / 8
+            );
+
+            string hashText = BitConverter.ToString(hashBytes).Replace("-", string.Empty);
+            return hashText == _config["user:password"];
         }
     }
 }
diff --git a/src/appsettings.json b/src/appsettings.json
@@ -1,9 +1,9 @@
 {
   "user": {
     "username": "demo",
-    // Generate a new password hash with salt here https://www.convertstring.com/en/Hash/SHA256
-    "password": "9932330BBB4675D16E622A5FEDF2B0AB93081BEE34E23D14762A46BF4CAF0C8E", // this password is "demo"
-    "salt": "somestring"
+    // Generate a new password hash with salt here https://onlinehasher.azurewebsites.net/
+    "password": "EB53D045EB132825A39F59AEA3FC453F216CB088775D6E7CE4A9740611B573CD", // this password is "demo"
+    "salt": "any custom string"
   },
   "Logging": {
     "IncludeScopes": false,

diff --git a/src/imageoptimizer.json b/src/imageoptimizer.json
@@ -8,7 +8,5 @@
       "includes": [ "wwwroot/albums/*/*.*" ],
       "lossy": false
     }
-  ],
-
-  "warmupTime": 0
+  ]
 }