ASP.NET Membership C# - How to compare existing password/hash

Question

I have been on this problem for a while. I need to compare a paasword that the user enters to a password that is in the membership DB. The password is hashed and has a salt.

Answer 1

Using a tool like Reflector, you can see what the membership provider does.

This is what has worked for me in the past (assumes passwordFormat 1, i.e. SHA1):

public static string GenerateHash(string pwd, string saltAsBase64)
{
    byte[] p1 = Convert.FromBase64String(saltAsBase64);
    return GenerateHash(pwd, p1);
}

public static string GenerateHash(string pwd, byte[] saltAsByteArray)
{
    System.Security.Cryptography.SHA1 sha = new System.Security.Cryptography.SHA1CryptoServiceProvider();

    byte[] p1 = saltAsByteArray;
    byte[] p2 = System.Text.Encoding.Unicode.GetBytes(pwd);

    byte[] data = new byte[p1.Length + p2.Length];

    p1.CopyTo(data, 0);
    p2.CopyTo(data, p1.Length);

    byte[] result = sha.ComputeHash(data);

    string res = Convert.ToBase64String(result);
    return res;
}

Where saltAsBase64 is from the PasswordSalt column of the aspnet_Membership table.

EDIT:

Example usage:

string pwd = "Letmein44";
string saltAsBase64 = "SuY4cf8wJXJAVEr3xjz4Dg==";

string hash = GenerateHash(pwd, saltAsBase64);  
// hash : "mPrDArrWt1+tybrjA0OZuEG1P5w="    

Answer 2

So much work! Microsoft makes life much easier with HashPasswordForStoringInConfigFile:

string myhash = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(password + salt, "SHA1");