[ZT]Generating Forms Authentication Compatible Passwords (SHA1)

Generating Forms Authentication Compatible Passwords (SHA1)
by Anthony Ogden.

In this article we will take a quick look at two methods for creating SHA1 passwords for use on the web.

In brief we show how to generate SHA1 hashes that are Forms Authentication compatible via:

• Net Web Application
• .Net Windows Form or Console Application

Why would we want to create an SHA1 Password Hash?
The answer to this is easy. It is dangerous to store passwords anywhere in plain text!! SHA1 gives a quick and easy way to encode a password into a non-human readable form. This means it is safer to store in a database, and should the database be viewed by anyone who shouldn't know the passwords, it will be much more difficult for them to work out what a user's password is.

Creating an SHA1 Password Hash using a Web Application
Download the VB.Net project file here.

When creating a Web Application we can use the HashPasswordForStoringInConfigFile object in the FormsAuthentication namespace to generate our SHA1 password hash.

The following section of code shows an example of this:

Dim encpass As String = _
  FormsAuthentication.HashPasswordForStoringInConfigFile(tbxPassword.Text, _
  "sha1")
tbxResult.Text = encpass.ToString()

The code takes the text from the "thePassword" textbox control and hashes the contents with the SHA1 algorithm. The result is then in the "theResult" textbox control.

This hashed password can then be placed in your web.config file or in a database and used in your web application for Forms Authentication. In a future tutorial we will show how to go on and use this in an application.

Creating an SHA1 Password Hash using a Windows Form/Console Application
Download the VB.Net project file for this application here.

The code for creating a Forms Authentication compatible password from a Windows App is slightly different. Instead of using the System.Web.Security.FormsAuthentication namespace, we use the System.Security.Cryptography namespace. We also have an additional step to take in converting the SHA1 hash from binary into a Hexadecimal string, which is the format used in FormsAuthentication.

The following sections of code show the steps we have to take to get a compatible password hash from a windows application:

	Dim myString As String = "PASSWORD"
	Dim Data As Byte()

	Data = Encoding.ASCII.GetBytes(myString)

The SHA1Managed object expected our data as binary bytes, so the code above converts our string "PASSWORD" into a sequence of bytes.

	Dim shaM As New SHA1Managed()
	Dim resultHash As Byte() = shaM.ComputeHash(Data)

The preceding lines encode our data with SHA1 and we end up with a sequence of binary bytes representing the encoded password.

	Dim resultHexString = ""
	Dim b As Byte

	For Each b In resultHash
		resultHexString += Hex(b)
	Next

The lines above take our binary data and convert the bytes into a Hexadecimal string representation, the format that is used when using FormsAuthentication. You can check you get the same results by first running the web application version and taking the resulting string, running the windows application with the same password and comparing the encoded result.