Salted hash generator

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
5
down vote

favorite












I've had a go at creating a small class in C# that can generated salted hashes from text. I would like to know how this could be improved (in terms of code style) and whether or not this code is secure enough that it could be used in a professional environment (it won't be).



Hasher.cs



using System.Security.Cryptography;

namespace HashAndSaltTest

 public static class Hasher
 
 private static readonly int MaxSaltLength = 32;

 public static byte GenerateSaltedHash(byte plainText)
 
 HashAlgorithm algorithm = new SHA256Managed();
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 for (int i = 0; i < plainText.Length; i++)
 saltedText[i] = plainText[i];

 for (int i = 0; i < salt.Length; i++)
 saltedText[plainText.Length + i] = salt[i];

 return algorithm.ComputeHash(saltedText);
 

 private static byte GenerateSalt()
 
 byte salt = new byte[MaxSaltLength];

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 random.GetNonZeroBytes(salt);

 return salt;




c# hashcode




share|improve this question





















  • What exactly do you want to use this code for? How do you intend to verify the hashed value?
    – Roland Illig
    May 13 at 16:03










  • If "plainttext" is ever going to be a password, this is not secure. SHA256 is not designed to handle passwords (use PBKDF2 or bCrypt instead). If you're not using it with passwords, I don't get the purpose of the salt. A bit more context of what kind of input is expected and what'll you use the hashes for is relevant when speaking about security.
    – Alejandro
    May 14 at 1:02
















up vote
5
down vote

favorite












I've had a go at creating a small class in C# that can generated salted hashes from text. I would like to know how this could be improved (in terms of code style) and whether or not this code is secure enough that it could be used in a professional environment (it won't be).



Hasher.cs



using System.Security.Cryptography;

namespace HashAndSaltTest

 public static class Hasher
 
 private static readonly int MaxSaltLength = 32;

 public static byte GenerateSaltedHash(byte plainText)
 
 HashAlgorithm algorithm = new SHA256Managed();
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 for (int i = 0; i < plainText.Length; i++)
 saltedText[i] = plainText[i];

 for (int i = 0; i < salt.Length; i++)
 saltedText[plainText.Length + i] = salt[i];

 return algorithm.ComputeHash(saltedText);
 

 private static byte GenerateSalt()
 
 byte salt = new byte[MaxSaltLength];

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 random.GetNonZeroBytes(salt);

 return salt;




c# hashcode




share|improve this question





















  • What exactly do you want to use this code for? How do you intend to verify the hashed value?
    – Roland Illig
    May 13 at 16:03










  • If "plainttext" is ever going to be a password, this is not secure. SHA256 is not designed to handle passwords (use PBKDF2 or bCrypt instead). If you're not using it with passwords, I don't get the purpose of the salt. A bit more context of what kind of input is expected and what'll you use the hashes for is relevant when speaking about security.
    – Alejandro
    May 14 at 1:02












up vote
5
down vote

favorite









up vote
5
down vote

favorite











I've had a go at creating a small class in C# that can generated salted hashes from text. I would like to know how this could be improved (in terms of code style) and whether or not this code is secure enough that it could be used in a professional environment (it won't be).



Hasher.cs



using System.Security.Cryptography;

namespace HashAndSaltTest

 public static class Hasher
 
 private static readonly int MaxSaltLength = 32;

 public static byte GenerateSaltedHash(byte plainText)
 
 HashAlgorithm algorithm = new SHA256Managed();
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 for (int i = 0; i < plainText.Length; i++)
 saltedText[i] = plainText[i];

 for (int i = 0; i < salt.Length; i++)
 saltedText[plainText.Length + i] = salt[i];

 return algorithm.ComputeHash(saltedText);
 

 private static byte GenerateSalt()
 
 byte salt = new byte[MaxSaltLength];

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 random.GetNonZeroBytes(salt);

 return salt;




c# hashcode




share|improve this question













I've had a go at creating a small class in C# that can generated salted hashes from text. I would like to know how this could be improved (in terms of code style) and whether or not this code is secure enough that it could be used in a professional environment (it won't be).



Hasher.cs



using System.Security.Cryptography;

namespace HashAndSaltTest

 public static class Hasher
 
 private static readonly int MaxSaltLength = 32;

 public static byte GenerateSaltedHash(byte plainText)
 
 HashAlgorithm algorithm = new SHA256Managed();
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 for (int i = 0; i < plainText.Length; i++)
 saltedText[i] = plainText[i];

 for (int i = 0; i < salt.Length; i++)
 saltedText[plainText.Length + i] = salt[i];

 return algorithm.ComputeHash(saltedText);
 

 private static byte GenerateSalt()
 
 byte salt = new byte[MaxSaltLength];

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 random.GetNonZeroBytes(salt);

 return salt;





c# hashcode





share|improve this question












share|improve this question




share|improve this question








edited May 20 at 20:55









t3chb0t

31.9k54195




31.9k54195









asked May 12 at 22:11









Ioan Thomas

1546




1546











  • What exactly do you want to use this code for? How do you intend to verify the hashed value?
    – Roland Illig
    May 13 at 16:03










  • If "plainttext" is ever going to be a password, this is not secure. SHA256 is not designed to handle passwords (use PBKDF2 or bCrypt instead). If you're not using it with passwords, I don't get the purpose of the salt. A bit more context of what kind of input is expected and what'll you use the hashes for is relevant when speaking about security.
    – Alejandro
    May 14 at 1:02
















  • What exactly do you want to use this code for? How do you intend to verify the hashed value?
    – Roland Illig
    May 13 at 16:03










  • If "plainttext" is ever going to be a password, this is not secure. SHA256 is not designed to handle passwords (use PBKDF2 or bCrypt instead). If you're not using it with passwords, I don't get the purpose of the salt. A bit more context of what kind of input is expected and what'll you use the hashes for is relevant when speaking about security.
    – Alejandro
    May 14 at 1:02















What exactly do you want to use this code for? How do you intend to verify the hashed value?
– Roland Illig
May 13 at 16:03




What exactly do you want to use this code for? How do you intend to verify the hashed value?
– Roland Illig
May 13 at 16:03












If "plainttext" is ever going to be a password, this is not secure. SHA256 is not designed to handle passwords (use PBKDF2 or bCrypt instead). If you're not using it with passwords, I don't get the purpose of the salt. A bit more context of what kind of input is expected and what'll you use the hashes for is relevant when speaking about security.
– Alejandro
May 14 at 1:02




If "plainttext" is ever going to be a password, this is not secure. SHA256 is not designed to handle passwords (use PBKDF2 or bCrypt instead). If you're not using it with passwords, I don't get the purpose of the salt. A bit more context of what kind of input is expected and what'll you use the hashes for is relevant when speaking about security.
– Alejandro
May 14 at 1:02










1 Answer
1






active

oldest

votes

















up vote
4
down vote



accepted










  • Because HashAlgorithm implements IDisposable you should enclose the usage of it in an using block as well.


  • Omitting braces although they might be optional can lead to hidden and therfor hard to find bugs. I would like to encourage you to always use braces.


  • Instead of using a for loop to copy plainText to saltedText and salt to saltedText you may take advantage of the Array.CopyTo() method.


  • Public methods should validate passed parameters.


  • Because you don't return the salt you can only generate a hash but you can't verify the hash.


Applying the mentioned points can lead to 



public static byte GenerateSaltedHash(byte plainText)

 if (plainText == null) throw new ArgumentNullException("plainText"); 
 if (plainText.Length == 0) throw new ArgumentException("Length may not be zero", "plainText"); 

 using (HashAlgorithm algorithm = new SHA256Managed())
 
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 plainText.CopyTo(saltedText, 0);
 salt.CopyTo(saltedText, plainText.Length);

 return algorithm.ComputeHash(saltedText);
 


private static byte GenerateSalt()

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 
 byte salt = new byte[MaxSaltLength];
 random.GetNonZeroBytes(salt);
 return salt;






share|improve this answer























  • Thanks for the feedback. Just wondering, from a security standpoint, how safe is this method of generating salted hashes?
    – Ioan Thomas
    May 13 at 20:31










  • IMO its safe enough at least if the plainText isn't containing security relevant information. If plainText contains security relevant information you should override it inside this method.
    – Heslacher
    May 13 at 20:35










  • @Heslacher, could you elaborate on you should override it inside this method a little, and/or show an example? I'm assumingsecurity relevant information would be passwords and such.
    – Sinjai
    May 20 at 21:11











  • I meant overwriting the passed array.
    – Heslacher
    May 22 at 5:51










Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
);
);
, "mathjax-editing");

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194283%2fsalted-hash-generator%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
4
down vote



accepted










  • Because HashAlgorithm implements IDisposable you should enclose the usage of it in an using block as well.


  • Omitting braces although they might be optional can lead to hidden and therfor hard to find bugs. I would like to encourage you to always use braces.


  • Instead of using a for loop to copy plainText to saltedText and salt to saltedText you may take advantage of the Array.CopyTo() method.


  • Public methods should validate passed parameters.


  • Because you don't return the salt you can only generate a hash but you can't verify the hash.


Applying the mentioned points can lead to 



public static byte GenerateSaltedHash(byte plainText)

 if (plainText == null) throw new ArgumentNullException("plainText"); 
 if (plainText.Length == 0) throw new ArgumentException("Length may not be zero", "plainText"); 

 using (HashAlgorithm algorithm = new SHA256Managed())
 
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 plainText.CopyTo(saltedText, 0);
 salt.CopyTo(saltedText, plainText.Length);

 return algorithm.ComputeHash(saltedText);
 


private static byte GenerateSalt()

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 
 byte salt = new byte[MaxSaltLength];
 random.GetNonZeroBytes(salt);
 return salt;






share|improve this answer























  • Thanks for the feedback. Just wondering, from a security standpoint, how safe is this method of generating salted hashes?
    – Ioan Thomas
    May 13 at 20:31










  • IMO its safe enough at least if the plainText isn't containing security relevant information. If plainText contains security relevant information you should override it inside this method.
    – Heslacher
    May 13 at 20:35










  • @Heslacher, could you elaborate on you should override it inside this method a little, and/or show an example? I'm assumingsecurity relevant information would be passwords and such.
    – Sinjai
    May 20 at 21:11











  • I meant overwriting the passed array.
    – Heslacher
    May 22 at 5:51














up vote
4
down vote



accepted










  • Because HashAlgorithm implements IDisposable you should enclose the usage of it in an using block as well.


  • Omitting braces although they might be optional can lead to hidden and therfor hard to find bugs. I would like to encourage you to always use braces.


  • Instead of using a for loop to copy plainText to saltedText and salt to saltedText you may take advantage of the Array.CopyTo() method.


  • Public methods should validate passed parameters.


  • Because you don't return the salt you can only generate a hash but you can't verify the hash.


Applying the mentioned points can lead to 



public static byte GenerateSaltedHash(byte plainText)

 if (plainText == null) throw new ArgumentNullException("plainText"); 
 if (plainText.Length == 0) throw new ArgumentException("Length may not be zero", "plainText"); 

 using (HashAlgorithm algorithm = new SHA256Managed())
 
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 plainText.CopyTo(saltedText, 0);
 salt.CopyTo(saltedText, plainText.Length);

 return algorithm.ComputeHash(saltedText);
 


private static byte GenerateSalt()

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 
 byte salt = new byte[MaxSaltLength];
 random.GetNonZeroBytes(salt);
 return salt;






share|improve this answer























  • Thanks for the feedback. Just wondering, from a security standpoint, how safe is this method of generating salted hashes?
    – Ioan Thomas
    May 13 at 20:31










  • IMO its safe enough at least if the plainText isn't containing security relevant information. If plainText contains security relevant information you should override it inside this method.
    – Heslacher
    May 13 at 20:35










  • @Heslacher, could you elaborate on you should override it inside this method a little, and/or show an example? I'm assumingsecurity relevant information would be passwords and such.
    – Sinjai
    May 20 at 21:11











  • I meant overwriting the passed array.
    – Heslacher
    May 22 at 5:51












up vote
4
down vote



accepted







up vote
4
down vote



accepted






  • Because HashAlgorithm implements IDisposable you should enclose the usage of it in an using block as well.


  • Omitting braces although they might be optional can lead to hidden and therfor hard to find bugs. I would like to encourage you to always use braces.


  • Instead of using a for loop to copy plainText to saltedText and salt to saltedText you may take advantage of the Array.CopyTo() method.


  • Public methods should validate passed parameters.


  • Because you don't return the salt you can only generate a hash but you can't verify the hash.


Applying the mentioned points can lead to 



public static byte GenerateSaltedHash(byte plainText)

 if (plainText == null) throw new ArgumentNullException("plainText"); 
 if (plainText.Length == 0) throw new ArgumentException("Length may not be zero", "plainText"); 

 using (HashAlgorithm algorithm = new SHA256Managed())
 
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 plainText.CopyTo(saltedText, 0);
 salt.CopyTo(saltedText, plainText.Length);

 return algorithm.ComputeHash(saltedText);
 


private static byte GenerateSalt()

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 
 byte salt = new byte[MaxSaltLength];
 random.GetNonZeroBytes(salt);
 return salt;






share|improve this answer















  • Because HashAlgorithm implements IDisposable you should enclose the usage of it in an using block as well.


  • Omitting braces although they might be optional can lead to hidden and therfor hard to find bugs. I would like to encourage you to always use braces.


  • Instead of using a for loop to copy plainText to saltedText and salt to saltedText you may take advantage of the Array.CopyTo() method.


  • Public methods should validate passed parameters.


  • Because you don't return the salt you can only generate a hash but you can't verify the hash.


Applying the mentioned points can lead to 



public static byte GenerateSaltedHash(byte plainText)

 if (plainText == null) throw new ArgumentNullException("plainText"); 
 if (plainText.Length == 0) throw new ArgumentException("Length may not be zero", "plainText"); 

 using (HashAlgorithm algorithm = new SHA256Managed())
 
 byte salt = GenerateSalt();
 byte saltedText = new byte[plainText.Length + salt.Length];

 plainText.CopyTo(saltedText, 0);
 salt.CopyTo(saltedText, plainText.Length);

 return algorithm.ComputeHash(saltedText);
 


private static byte GenerateSalt()

 using (RandomNumberGenerator random = new RNGCryptoServiceProvider())
 
 byte salt = new byte[MaxSaltLength];
 random.GetNonZeroBytes(salt);
 return salt;







share|improve this answer















share|improve this answer



share|improve this answer








edited May 13 at 21:14


























answered May 13 at 20:10









Heslacher

43.9k359152




43.9k359152











  • Thanks for the feedback. Just wondering, from a security standpoint, how safe is this method of generating salted hashes?
    – Ioan Thomas
    May 13 at 20:31










  • IMO its safe enough at least if the plainText isn't containing security relevant information. If plainText contains security relevant information you should override it inside this method.
    – Heslacher
    May 13 at 20:35










  • @Heslacher, could you elaborate on you should override it inside this method a little, and/or show an example? I'm assumingsecurity relevant information would be passwords and such.
    – Sinjai
    May 20 at 21:11











  • I meant overwriting the passed array.
    – Heslacher
    May 22 at 5:51
















  • Thanks for the feedback. Just wondering, from a security standpoint, how safe is this method of generating salted hashes?
    – Ioan Thomas
    May 13 at 20:31










  • IMO its safe enough at least if the plainText isn't containing security relevant information. If plainText contains security relevant information you should override it inside this method.
    – Heslacher
    May 13 at 20:35










  • @Heslacher, could you elaborate on you should override it inside this method a little, and/or show an example? I'm assumingsecurity relevant information would be passwords and such.
    – Sinjai
    May 20 at 21:11











  • I meant overwriting the passed array.
    – Heslacher
    May 22 at 5:51















Thanks for the feedback. Just wondering, from a security standpoint, how safe is this method of generating salted hashes?
– Ioan Thomas
May 13 at 20:31




Thanks for the feedback. Just wondering, from a security standpoint, how safe is this method of generating salted hashes?
– Ioan Thomas
May 13 at 20:31












IMO its safe enough at least if the plainText isn't containing security relevant information. If plainText contains security relevant information you should override it inside this method.
– Heslacher
May 13 at 20:35




IMO its safe enough at least if the plainText isn't containing security relevant information. If plainText contains security relevant information you should override it inside this method.
– Heslacher
May 13 at 20:35












@Heslacher, could you elaborate on you should override it inside this method a little, and/or show an example? I'm assumingsecurity relevant information would be passwords and such.
– Sinjai
May 20 at 21:11





@Heslacher, could you elaborate on you should override it inside this method a little, and/or show an example? I'm assumingsecurity relevant information would be passwords and such.
– Sinjai
May 20 at 21:11













I meant overwriting the passed array.
– Heslacher
May 22 at 5:51




I meant overwriting the passed array.
– Heslacher
May 22 at 5:51












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194283%2fsalted-hash-generator%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

Chat program with C++ and SFML

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 2 down vote favorite This is my client code: (My server is very similar at the moment but I will upload it below this one just in case somebody wants to run it) #include <SFML/Graphics.hpp> #include <SFML/Network.hpp> #include <thread> int main() sf::RenderWindow main_win(sf::VideoMode(800, 800), "Chatcy!"); main_win.setPosition(sf::Vector2i(sf::VideoMode::getDesktopMode().width/2 -400, sf::VideoMode::getDesktopMode().height/2 -400)); main_win.setVerticalSyncEnabled(true); //chatcy logo sf::Texture chatcy; chatcy.loadFromFile("image_chatcy.png"); sf::Sprite logo; logo.setTexture(chatcy); //200x800 //font sf::Font font; font.loadFromFile("FreeSerif.ttf"); //name sf::String name("Client"); name += ": "; //text input area and background sf::RectangleShape in_backg
Read more

Function to Return a JSON Like Objects Using VBA Collections and Arrays

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 1 down vote favorite My goal is to create a compact function that can create a JSON Like object from JSON string. I want a function with a small footprint that I or anyone who wants to use it, can simply paste into a module and use. At 61 lines of code, I am happy with its size and portability. Here is an image of JSON Object created from string data using a ScriptControl . Although the Locals Window displays the properties and values correctly, the object itself is extremely difficult to work with. This image shows an object created using getJSONCollection . Because it is made of VBA Collections and Arrays, it is very easy to work with. Option Explicit Private Function getJSONCollection(ByVal Value As Variant, Optional ScriptEngine As Object) As Variant Const DELIMITER As String = "||" Dim col As Collection, JSON As Object, KeyNam
Read more

Will my employers contract hold up in court?

Image
Clash Royale CLAN TAG #URR8PPP up vote 8 down vote favorite 2 When I started a new job back in July of 2017, I signed a contract that had the following bindings or restrictions if I was ever to leave the company: Cannot work for a competitor within 25 miles of current companies location for the next two years Cannot offer my services to any organization within 25 miles of current companies location for the next two years Now, when mentioned “my services” this can be related to my profession of website design. This contract seems incredibly binding, 2 years in length, and I’m looking to see if it would actually hold up in an Arizona court. contract employment non-compete arizona share | improve this question edited Aug 7 at 15:35 feetwet ♦ 13.8k 9 37 85 asked Aug 6 at 19:05 Alex S. 46 2 What does your company do and what services do they provide? What is your role (i.e. internal work or work for customers).
Read more