Hashing gone wrongPublic Shared Function Compute(ByVal text As String, ByVal a

1. Hashing gone wrong
2. Public Shared Function Compute(ByVal text As String, ByVal algorithm As String, Optional ByVal salt() As Byte = Nothing) As String
3. If salt Is Nothing Then
4. Dim saltSize As Integer = 8
5. salt = New Byte(saltSize - 1) {}
6.  
7. Dim rng As New RNGCryptoServiceProvider
8. rng.GetNonZeroBytes(salt)
9. End If
10.  
11. Dim textBytes As Byte() = Encoding.UTF8.GetBytes(text)
12. Dim saltedTextBytes() As Byte = New Byte(textBytes.Length + salt.Length - 1) {}
13. For i As Integer = 0 To textBytes.Length - 1
14. saltedTextBytes(i) = textBytes(i)
15. Next i
16.  
17. For i As Integer = 0 To salt.Length - 1
18. saltedTextBytes(textBytes.Length + i) = salt(i)
19. Next i
20.  
21. Dim hash As HashAlgorithm
22. If algorithm Is Nothing Then
23. algorithm = ""
24. End If
25.  
26. Select Case algorithm.ToUpper
27. Case "SHA1" : hash = New SHA1Managed
28. Case "SHA256" : hash = New SHA256Managed
29. Case "SHA384" : hash = New SHA384Managed
30. Case "SHA512" : hash = New SHA512Managed
31. Case Else : hash = New MD5CryptoServiceProvider
32. End Select
33.  
34. Dim hashBytes As Byte() = hash.ComputeHash(saltedTextBytes)
35. Dim saltedHash() As Byte = New Byte(hashBytes.Length + salt.Length - 1) {}
36. For i As Integer = 0 To hashBytes.Length - 1
37. saltedHash(i) = hashBytes(i)
38. Next i
39.  
40. For i As Integer = 0 To salt.Length - 1
41. saltedHash(hashBytes.Length + i) = salt(i)
42. Next i
43.  
44. Dim hashValue As String = Convert.ToBase64String(saltedHash)
45.  
46. Return Left(hashValue, 36)
47. End Function
48.  
49. ' The email address needs to be valid
50. Dim pattern As String = "^(?("")("".+?""@)|(([0-9a-zA-Z]((.(?!.))|[-!#$%&'*+/=?^`{}|~w])*)(?<=[0-9a-zA-Z])@))(?([)([(d{1,3}.){3}d{1,3}])|(([0-9a-zA-Z][-w]*[0-9a-zA-Z].)+[a-zA-Z]{2,6}))$"
51. Dim match As Match = Regex.Match(txtEmail.Text, pattern)
52. If match.Success Then
53. 'Hash the user's password before entering it into the database.
54. Dim pass As String = Crypt.Compute(txtPass.Text, "SHA512", Nothing)
55.  
56. ' Enter the information from the form into the database.
57. Dim sql As String = "INSERT INTO Users(Username, Password, EmailAddress) " & _
58. "VALUES(@User, @Pass, @Email)"
59. Dim cmd As New SqlCommand(sql, conn)
60. cmd.Parameters.AddWithValue("@User", txtName.Text)
61. cmd.Parameters.AddWithValue("@Pass", pass)
62. cmd.Parameters.AddWithValue("@Email", txtEmail.Text)
63.  
64. conn.Open()
65. cmd.ExecuteNonQuery()
66. conn.Close()
67. Else
68. lblError.Text = "Invalid email address. Please correct."
69. lblError.ForeColor = Drawing.Color.Red
70. End If
71.  
72. Dim pass As String = Crypt.Compute(txtPass.Text, "SHA512", Nothing)
73.  
74. Dim UserData As New DataSet
75. Dim UserAdapter As New SqlDataAdapter
76. UserAdapter.SelectCommand = New SqlCommand("SELECT * FROM Users " & _
77. "WHERE Username = @User AND Password = @Pass", conn)
78. UserAdapter.SelectCommand.Parameters.AddWithValue("@User", txtUser.Text)
79. UserAdapter.SelectCommand.Parameters.AddWithValue("@Pass", pass)
80. UserAdapter.Fill(UserData)
81.  
82. If UserData.Tables(0).Rows.Count <> 1 Then
83. lblError.Text = "Invalid username or password."
84. lblError.ForeColor = Drawing.Color.Red
85. Session("LoginAttempt") = CInt(Session("LoginAttempt")) + 1
86. Else
87. Session("LoggedIn") = True
88. Response.Redirect("Home.aspx")
89. End If
90.  
91. Dim thePass As String = "MyPassword"
92. Dim theSalt As String = "salt"
93.  
94. Dim pass As String = Compute(thePass, "SHA512", Encoding.UTF8.GetBytes(theSalt))
95. Console.WriteLine(pass)
96. Dim pass2 As String = Compute(thePass, "SHA512", Encoding.UTF8.GetBytes(theSalt))
97. Console.WriteLine(pass2) 'pass and pass2 are identical