C# Security: Securing Passwords by Salting and Hashing

Hello and welcome, dear readers! :)

This article deals with storing passwords securely... usually in a database, but to keep things simple, we'll just use a C# dictionary instead. As part of this article, we'll cover two interesting techniques called salting and hashing. These topics can sometimes be challenging to understand - in fact you can see from my question about salting on StackOverflow that it had taken me a while to understand the benefits of salting, but it doesn't have to be that way. I am writing this article to hopefully make this fascinating subject easy to understand.

Right, so let's get to business. Create a new Console Application using SharpDevelop or whichever IDE you prefer. Add the following near the top, so that we can use dictionaries:

using System.Collections.Generic;

Just inside your class Program, before your Main() method, add the following dictionary to store our users and their corresponding passwords (see "C# Basics: Morse Code Converter Using Dictionaries" if this seems in any way new to you):

        public static Dictionary<String, String> users = new Dictionary<String, String>()
        {
            { "johnny", "password" },
            { "mary", "flowers" },
            { "chuck", "roundhousekick" },
            { "larry", "password123" }
        };

It is now pretty simple to add a method that can check whether a given username and password result in a successful login:

        public static bool Login(String username, String password)
        {
            if (users.ContainsKey(username) && users[username] == password)
                return true;
            else
                return false;
        }

This code first checks that the username actually exists in the dictionary, and then checks whether the corresponding password matches.

We can now test this code by replacing the contents of Main() with the following code:

        public static void Main(string[] args)
        {
            Console.Write("Username: ");
            String username = Console.ReadLine();
          
            Console.Write("Password: ");
            Console.ForegroundColor = ConsoleColor.Black;
            String password = Console.ReadLine();
            Console.ResetColor();
          
            bool loggedIn = Login(username, password);
            if (loggedIn)
                Console.WriteLine("You have successfully logged in!");
            else
                Console.WriteLine("Bugger off!");
          
            Console.ReadLine();
        }

Notice that when requesting the password, we're setting the console's text colour to black. The console's background colour is also black, so the password won't show as you type, fending off people trying to spy it while looking over your shoulder.

Press F5 to try it out:

Awesome - we have just written a very simple login system.

The problem with this system is that the passwords are stored as clear text. If we imagine for a moment that our usernames and passwords were stored in a database, then the actual passwords can easily be obtained by a hacker gaining illegal access to the database, or any administrator with access to the database. We can see this by writing a simple method that shows the users' data, simulating what a hacker would see if he managed to breach the database:

        public static void Hack()
        {
            foreach (String username in users.Keys)
                Console.WriteLine("{0}: {1}", username, users[username]);
        }

We can then add the following code just before the final Console.ReadLine() in Main() to test it out:

            Console.WriteLine();
            Hack();

This gives us all the details, as we are expecting:

This isn't a nice thing to have - anyone who can somehow gain access to the database can see the passwords. How can we make this better?

Hashing

One way is to hash the passwords. A hash function is something that takes a piece of text and transforms it into another piece of text:

A hash function is one-way in the sense that you can use it to transform "Hello" to "8b1a9953c4611296a827abf8c47804d7", but not the other way around. So if someone gets his hands on the hash of a password, it doesn't mean that he has the password.

Another property of hash functions is that their output changes considerably even with a very small change in the input. Take a look at the following, for instance:

You can see how "8b1a9953c4611296a827abf8c47804d7" is very different from "5d41402abc4b2a76b9719d911017c592". The hashes bear no relationship with each other, even though the passwords are almost identical. This means that a hacker won't be able to notice patterns in the hashes that might allow him to guess one password based on another.

One popular hashing algorithm (though not the most secure) is MD5, which was used to produce the examples above. You can find online tools (such as this one) that allow you to compute an MD5 hash for any string you want.

In order to use MD5 in our code, we'll need to add the following statement near the top of our program code:

using System.Security.Cryptography;

At the beginning of the Program class, we can now create an instance of the MD5 class to use whenever we need:

         private static MD5 hashFunction = MD5.Create();

If you look at the intellisense for MD5, you'll see that it has a ComputeHash() method, which returns an array of byte, rather than a String:

We're going to do some String work, so add the following near the top:

using System.Text;

Let's write a little helper method to hash our passwords, using Strings for both input and output:

        public static String Hash(String input)
        {
            // code goes here
        }

In this method, the first thing we need to do is convert the input String to a byte array, so that ComputeHash() can work with it. This is done using the System.Text.Encoding class, which provides several useful members for converting between Strings and bytes. In our case we can work with the ASCII encoding as follows:

            byte[] inputBytes = Encoding.ASCII.GetBytes(input);

We can then compute the hash itself:

            byte[] hashBytes = hashFunction.ComputeHash(inputBytes);

Since we don't like working with raw bytes, we then convert it to a hexadecimal string:

            StringBuilder sb = new StringBuilder();
            foreach(byte b in hashBytes)
                sb.Append(b.ToString("x2").ToLower());

The "x2" bit converts each byte into two hexadecimal characters. If you think about it for a moment, hexadecimal digits are from 0 to f (representing 0-15 in decimal), which fit into four bits. But each byte is eight bits, so each byte is made up of two hex digits.

Anyway, after that, all we need to do is return the string, so here's the entire code for the method:

        public static String Hash(String input)
        {
            byte[] inputBytes = Encoding.ASCII.GetBytes(input);
            byte[] hashBytes = hashFunction.ComputeHash(inputBytes);
          
            StringBuilder sb = new StringBuilder();
            foreach(byte b in hashBytes)
                sb.Append(b.ToString("x2").ToLower());
          
            return sb.ToString();
        }

We can now change our database to use hashed passwords:

        public static Dictionary<String, String> users = new Dictionary<String, String>()
        {
            { "johnny", Hash("password") },
            { "mary", Hash("flowers") },
            { "chuck", Hash("roundhousekick") },
            { "larry", Hash("password123") }
        };

In this way, we aren't storing the passwords themselves, but their hashes. For example, we're storing "5f4dcc3b5aa765d61d8327deb882cf99" instead of "password". That means we don't store the password itself any more (if you ever signed up to an internet forum or something, and it told you that your password can be reset but not recovered, you now know why). However, we can hash any input password and compare the hashes.

In our Login() method, we now change the line that checks username and password as follows:

             if (users.ContainsKey(username) && users[username] == Hash(password))

Let's try this out (F5):

When the user types "johnny" as the username and "password" as the password, the password is hashed, giving us "5f4dcc3b5aa765d61d8327deb882cf99". Since the passwords were also stored as hashes in our database, it matches. In reality our login is doing the same thing as it was doing before - just that we added a hash step (a) when storing our passwords and (b) when receiving a password as input. Ultimately the password in our database and that entered by the user both end up being hashes, and will match if the actual password was the same.

How does this help us? As you can see from the hack output (last four lines in the screenshot above), someone who manages to breach the database cannot see the passwords; he can only get to the hashes. He can't login using a hash, since that will in turn be hashed, producing a completely different value that won't match the hash in the database.

Although hashing won't make the system 100% secure, it's sure to give any potential hacker a hard time.

Salting

You may have noticed that in the example I used, I had some pretty dumb passwords, such as "password" and "password123". Using a dictionary word such as "flowers" is also not a very good idea. Someone may be able to gain access to one of the accounts by attempting several common passwords such as "password". These attempts can be automated by simple programs, allowing hackers to attempt entire dictionaries of words as passwords in a relatively short period of time.

Likewise, if you know the hash for common passwords (e.g. "5f4dcc3b5aa765d61d8327deb882cf99" is the hash for "password"), it becomes easy to recognise such passwords when you see the expected hash. Hackers can generate dictionaries of hashes for common passwords, known as rainbow tables, and find hashes for common words used as passwords.

We can combat such attacks by a process known as salting. When we compute our hashes, we add some string that we invent. This means changing the first line of our Hash() function as follows:

            byte[] inputBytes = Encoding.ASCII.GetBytes("chuck" + input);

Both the database password and the one entered by the user will be a hash of "chuck" concatenated with the password itself. When the user tries to login, it will still work, but look at what happens now:

The login worked, but the hashes have changed because of the salt! This means that even for a password as common as "password", a hacker cannot identify it from the hash, making rainbow tables much less effective.

Summary

This article described how to store passwords securely. It started off by doing the easiest and worst thing you can do: store them as clear text. A hash function was subsequently introduced, to transform the passwords into text from which the password cannot be retrieved. When a user logs in, the hash of the password he enters is compared with the password hash stored in the database.

Finally, the hashes were salted, by adding an arbitrary piece of text to them, in order to transform the hashes into different values that can't be used to identify common passwords.

I hope this made password security a little easier to understand. Please come back again, and support us by sharing this article with your friends, buying games from GOG.com, or any of the other ways described in the "Support the Ranch" page.

C# Basics: Morse Code Converter Using Dictionaries

Hi all! :)

Today's article is an easy one. We're going to learn to use dictionaries, and use them to make a program that converts text into the Morse Code equivalent.

Just for a change, today I'm going to use Visual Studio 2010 instead of SharpDevelop. If you want to try it, grab an express edition from Microsoft's website. Otherwise, you can manage just as well with SharpDevelop. Let's start off by creating a new console application. In Visual Studio, you can click on the "New Project..." link below the VS logo, or else from the menu, File -> New -> Project...:

Under Visual C# -> Windows, select "Console Application". As with SharpDevelop, specify a name for the project and where to put it. Note: I'm using the Ultimate edition, so your Express edition will be a little different (e.g. less project types).

The sample code given by Visual Studio is a bit different from that of SharpDevelop:

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

namespace CsMorse

{

    class Program

    {

        static void Main(string[] args)

        {

        }

    }

}

In particular, there's nothing in Main(). It doesn't matter. However, if you're using SharpDevelop, you're going to need the using System.Collections.Generic; so make sure you add it.

So, now we're going to make a little program based on the Morse Code. In case you don't know, the Morse Code is something that Chuck Norris used to communicate with the aliens who built the pyramids in Egypt. Obviously, he was the one telling them how to construct them.

As you can see from the Wikipedia link in the previous paragraph, each letter of the alphabet has a corresponding representation in Morse as a series of dots and dashes. In order to speed up transmissions, more common characters (e.g. 'E') are much shorter than others.

In C#, we can use a dictionary to map keys (e.g. 'L') to values (e.g. ".-.."). In other programming languages, dictionaries are sometimes called hash tables or maps or associative arrays. The following is an example of a dictionary mapping the first two letters of the alphabet to their Morse equivalents:

            Dictionary<char, String> morse = new Dictionary<char, String>();

            morse.Add('A', ".-");

            morse.Add('B', "-...");

            Console.WriteLine(morse['A']);

            Console.WriteLine(morse['B']);

            Console.WriteLine("Press any key...");

            Console.ReadKey(false);

First, we are declaring a dictionary. A dictionary is a generic type, so we need to tell in the <> part which data types we are storing. In this case, we have a char key and a String value. We can then add various items, supplying the key and value to the Add() method. Finally, we get values just like we would access an array: using the [] syntax. Just that dictionaries aren't restricted to using integers as keys; you can use any data type you like. Note: you'll know from the previous article, "The ASCII Table (C#)", that a character can be directly converted to an integer. Dictionaries work just as well if you use other data types, such as Strings.

Here is the output:

If you try to access a key that doesn't exist, such as morse['C'], you'll get a KeyNotFoundException. You can check whether a key exists using ContainsKey():

            if (morse.ContainsKey('C'))

                Console.WriteLine(morse['C']);

OK. Before we build our Morse converter, you should know that there are several ways of populating a dictionary. One is the Add() method we have seen above. Another is to assign values directly:

            morse['A'] = ".-";

            morse['B'] = "-...";

You can also use collection initialiser syntax to set several values at once:

            Dictionary<char, String> morse = new Dictionary<char, String>()

            {

                {'A' , ".-"},

                {'B' , "-..."}

            };

Since we only need to set the Morse mapping once, I'm going to use this method. Don't forget the semicolon at the end! Replace your current code with the following:

            Dictionary<char, String> morse = new Dictionary<char, String>()

            {

                {'A' , ".-"},

                {'B' , "-..."},

                {'C' , "-.-."},

                {'D' , "-.."},

                {'E' , "."},

                {'F' , "..-."},

                {'G' , "--."},

                {'H' , "...."},

                {'I' , ".."},

                {'J' , ".---"},

                {'K' , "-.-"},

                {'L' , ".-.."},

                {'M' , "--"},

                {'N' , "-."},

                {'O' , "---"},

                {'P' , ".--."},

                {'Q' , "--.-"},

                {'R' , ".-."},

                {'S' , "..."},

                {'T' , "-"},

                {'U' , "..-"},

                {'V' , "...-"},

                {'W' , ".--"},

                {'X' , "-..-"},

                {'Y' , "-.--"},

                {'Z' , "--.."},

                {'0' , "-----"},

                {'1' , ".----"},

                {'2' , "..---"},

                {'3' , "...--"},

                {'4' , "....-"},

                {'5' , "....."},

                {'6' , "-...."},

                {'7' , "--..."},

                {'8' , "---.."},

                {'9' , "----."},

            };

           

            Console.WriteLine("Press any key...");

            Console.ReadKey(false);

In the empty space between the dictionary and the Console.WriteLine(), we can now accept user input and convert it to Morse:

            Console.WriteLine("Write something:");

            String input = Console.ReadLine();

            input = input.ToUpper();

            for (int i = 0; i < input.Length; i++)

            {

                if (i > 0)

                    Console.Write('/');

                char c = input[i];

                if (morse.ContainsKey(c))

                    Console.Write(morse[c]);

            }

            Console.WriteLine();

Here, the user writes something and it is stored in the input variable. We then convert this to uppercase because the keys in our dictionary are uppercase. Then we loop over each character in the input String, and write its Morse equivalent if it exists. We separate different characters in the Morse output by a forward slash (/). Here's the output:

Awesome! :) In this article we used Visual Studio to create a program that converts alphanumeric text into the Morse-encoded equivalent. In the process, we learned to use dictionaries, and also revisited things like for loops and String methods.

Watch this space for more practical articles! In particular, after a few more articles, we'll be doing some network programming. Some great stuff is coming your way. :)

The ASCII Table (C#)

Hi! :)

In previous articles, we have seen how to create a simple game based within the console window (Part 1, Part 2). In this article we're going to find out what ASCII is about, and how we can draw some basic shapes  using the characters available in the console. Don't mind the length of this article... there's a really long chunk of code that you can just copy and paste. Read on! :)

So far we have displayed strings in the console window many times. However, a computer does not know anything about text; it can only work with numbers. So when you do something like this:

             Console.WriteLine("Hello world!");

...each character maps to a particular number (e.g. the 'H' is 72, the 'e' is 101, and so on). ASCII is a standard defining a set of basic characters such as these. Check out an ASCII Table to see how the characters are organised.

The standard ASCII is a set of 128 characters, the first 32 and last 1 of which are control characters such as the Carriage Return (13) and Line Feed (10), which together make a newline. The remaining characters are the text characters that we are used to.

There is also an extended set of another 128 ASCII characters. These consist of some non-English characters as well as some line and block characters that can be used to draw something like the screenshot towards the beginning of my article "C#: ASCII Art Game (Part 1)".

We can write all the 256 ASCII characters to the console window using a simple loop. Start a new SharpDevelop project, and use the following code:

            int i = 0;
            while (i < 256)
            {
                Console.Write(Convert.ToChar(i));
                i++;
            }

All we do is run this loop from 0 to 255 and write the corresponding ASCII character. We use the Convert class that is familiar from my article "C# Basics: Fun with Integers", but this time we convert from an integer to a character.

This is easy, but there's a better way to do this. Replace the above code with this:

            for (int i = 0; i < 255; i++)
            {
                Console.Write((char) i);
            }

This for loop does the same as above, but is much more compact. Initialising i, incrementing it, and the loop condition are all contained within the brackets of the for statement. The braces contain the statements to carry out with each iteration. If you have just one statement, as in this case, you may omit the curly brackets.

Also, you'll notice that I changed how we convert between integer and character. This method is called type casting - you just put the desired type (char in this case) beside the variable to be converted. The end result is still the same as with using Convert.ToChar().

When you run this code (F5), you'll hear a beep and see this:

Some things will seem weird here. There are what appear to be smiley faces, an uncalled-for newline, a whole bunch of question marks, and lots of strange characters after that, not to mention the beep.

The smiley faces, newline and beep are all due to the control characters at the beginning of the ASCII set. The beep is due to the bell character (7); the newline is due to the line feed character (10). The smiley faces and other crap at the beginning are just the character representations of those control characters. Additionally, what you're not seeing is that the carriage return (13) is moving the cursor position to the beginning of the line, so characters 11 and 12 are being overwritten. Let's rectify this:

            for (int i = 0; i < 255; i++)
            {
                if (i == 13)
                    Console.Write(' ');
                else
                    Console.Write((char) i);
            }

As for the extended character codes not matching the ASCII Table, that's due to some encoding mumbo-jumbo that I'm not going to get into, but the solution is pretty simple: just add the following line before the for loop:

            Console.OutputEncoding = System.Text.Encoding.GetEncoding(1252);

The result is now different:

That's better! Now, we can use those extended ASCII characters to draw something. This is called ASCII art. Here's some full code:

            Console.OutputEncoding = System.Text.Encoding.GetEncoding(1252);
        
            for (int i = 0; i < 255; i++)
            {
                if (i == 13)
                    Console.Write(' ');
                else
                    Console.Write((char) i);
            }

            // top-left corner
        
            Console.SetCursorPosition(30, 10);
            Console.Write((char) 201);
        
            // top-right corner
        
            Console.SetCursorPosition(53, 10);
            Console.Write((char) 187);
        
            // mid-left T-junction
        
            Console.SetCursorPosition(30, 13);
            Console.Write((char) 204);
        
            // mid-right T-junction
        
            Console.SetCursorPosition(53, 13);
            Console.Write((char) 185);
        
            // bottom-left corner
        
            Console.SetCursorPosition(30, 15);
            Console.Write((char) 200);
        
            // bottom-right corner
        
            Console.SetCursorPosition(53, 15);
            Console.Write((char) 188);
        
            // horizontal edges
        
            for (int i = 31; i < 53; i++)
            {
                Console.SetCursorPosition(i, 10);
                Console.Write((char) 205);
                Console.SetCursorPosition(i, 13);
                Console.Write((char) 205);
                Console.SetCursorPosition(i, 15);
                Console.Write((char) 205);
            }
        
            // vertical edges
        
            Console.SetCursorPosition(30, 11);
            Console.Write((char) 186);
            Console.SetCursorPosition(30, 12);
            Console.Write((char) 186);
            Console.SetCursorPosition(30, 14);
            Console.Write((char) 186);
            Console.SetCursorPosition(53, 11);
            Console.Write((char) 186);
            Console.SetCursorPosition(53, 12);
            Console.Write((char) 186);
            Console.SetCursorPosition(53, 14);
            Console.Write((char) 186);
        
            // text
        
            Console.SetCursorPosition(32, 11);
            Console.Write("     Welcome to");
            Console.SetCursorPosition(32, 12);
            Console.Write(" Programmer's Ranch");
            Console.SetCursorPosition(32, 14);
            Console.Write("by Daniel D'Agostino");
        
            Console.SetCursorPosition(0, 24);

            Console.Write("Press any key to continue . . . ");
            Console.ReadKey(true);

...and the output:

Right... although we have achieved our goal, you'll notice two things here that feel a little uncomfortable. First, the code is rather long. For this kind of thing, the drawing data is best kept in files. Secondly, there is quite a bit of repetition: lots of Console.SetCursorPosition() calls followed by Console.Write() calls. This may be alleviated by using methods, but more on that in another article.

Great! In this article we learned about what the ASCII table has to offer us. It doesn't sound like much, but if you're creative, you can use it to make some really cool games. Also, ASCII is probably the most basic character encoding there is; if you do advanced programming using text later on, knowing ASCII is a useful foundation.

I have more good things coming up in the next few articles, so don't go away! :)

Optional exercises:

1. Replace the 'X' representing the player in our ASCII art game (Part 1, Part 2) with a smiley face from the ASCII character set.
2. Draw a top-down view of a house in the console window using ASCII art. Use '-' for doors and '+' for windows.
3. If you feel like going overboard, draw something complex (such as an elaborate logo design or an overworld map) using ASCII art and send me a screenshot. I'll post the best ones here.