From 2e2f722d88fcd7948962aaf0bc851fcf6b2e51c8 Mon Sep 17 00:00:00 2001
From: Mads Kristensen <post@madskristensen.net>
Date: Tue, 29 Aug 2017 14:13:18 -0700
Subject: [PATCH] Updated hashing algorithm

---
 src/Pages/Login.cshtml.cs | 19 +++++++++++--------
 src/appsettings.json      |  6 +++---
 src/imageoptimizer.json   |  4 +---
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/src/Pages/Login.cshtml.cs b/src/Pages/Login.cshtml.cs
index c9b6f74..c69543a 100644
--- a/src/Pages/Login.cshtml.cs
+++ b/src/Pages/Login.cshtml.cs
@@ -1,5 +1,6 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Cryptography.KeyDerivation;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.Extensions.Configuration;
 using System;
@@ -58,16 +59,18 @@ private void RedirectFromLogin(string query = "")
 
         private bool VerifyHashedPassword(string password)
         {
-            byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
             byte[] saltBytes = Encoding.UTF8.GetBytes(_config["user:salt"]);
-            byte[] saltedValue = passwordBytes.Concat(saltBytes).ToArray();
 
-            using (var sha = new SHA256Managed())
-            {
-                byte[] hash = sha.ComputeHash(saltedValue);
-                var hashText = BitConverter.ToString(hash).Replace("-", string.Empty);
-                return hashText == _config["user:password"];
-            }
+            byte[] hashBytes = KeyDerivation.Pbkdf2(
+                password: password,
+                salt: saltBytes,
+                prf: KeyDerivationPrf.HMACSHA1,
+                iterationCount: 1000,
+                numBytesRequested: 256 / 8
+            );
+
+            string hashText = BitConverter.ToString(hashBytes).Replace("-", string.Empty);
+            return hashText == _config["user:password"];
         }
     }
 }
diff --git a/src/appsettings.json b/src/appsettings.json
index eb7d296..5d935b4 100644
--- a/src/appsettings.json
+++ b/src/appsettings.json
@@ -1,9 +1,9 @@
 {
   "user": {
     "username": "demo",
-    // Generate a new password hash with salt here https://www.convertstring.com/en/Hash/SHA256
-    "password": "9932330BBB4675D16E622A5FEDF2B0AB93081BEE34E23D14762A46BF4CAF0C8E", // this password is "demo"
-    "salt": "somestring"
+    // Generate a new password hash with salt here https://onlinehasher.azurewebsites.net/
+    "password": "EB53D045EB132825A39F59AEA3FC453F216CB088775D6E7CE4A9740611B573CD", // this password is "demo"
+    "salt": "any custom string"
   },
   "Logging": {
     "IncludeScopes": false,
diff --git a/src/imageoptimizer.json b/src/imageoptimizer.json
index 9d70eda..5de98cb 100644
--- a/src/imageoptimizer.json
+++ b/src/imageoptimizer.json
@@ -8,7 +8,5 @@
       "includes": [ "wwwroot/albums/*/*.*" ],
       "lossy": false
     }
-  ],
-
-  "warmupTime": 0
+  ]
 }
\ No newline at end of file