Encrypted password ans salt does not match when I validate them

Question

I use the following code to Encrypt and protect the password and I add salt to it, but when I try to validate it when the user login they don't match, I don't know why.

public static class Encrypt
{
    public static string saltValue { get; set; }
    public static string hashValue { get; set; }

    public static void SecurePassword(string password)
    {
        // Create a truly random salt using RNGCryptoServiceProvider.
        RNGCryptoServiceProvider csprng = new RNGCryptoServiceProvider();
        byte[] salt = new byte[32];
        csprng.GetBytes(salt);

        // Get the salt value
        saltValue = Convert.ToBase64String(salt);
        // Salt the password
        byte[] saltedPassword = Encoding.UTF8.GetBytes(saltValue + password);

        // Hash the salted password using SHA256
        SHA512Managed hashstring = new SHA512Managed();
        byte[] hash = hashstring.ComputeHash(saltedPassword);

        // Save both the salt and the hash in the user's database record.
        saltValue = Convert.ToBase64String(salt);
        hashValue = Convert.ToBase64String(hash);            
    }

    public static void ValidateLogin(string password, string username)
    {
        // Read the user's salt value from the database
        string saltValueFromDB = saltValue;

        // Read the user's hash value from the database
        string hashValueFromDB = hashValue;

        byte[] saltedPassword = Encoding.UTF8.GetBytes(saltValueFromDB + password);

        // Hash the salted password using SHA256
        SHA512Managed hashstring = new SHA512Managed();
        byte[] hash = hashstring.ComputeHash(saltedPassword);

        string hashToCompare = Convert.ToBase64String(hash);

        if (hashValueFromDB.Equals(hashToCompare))
            Console.WriteLine("User Validated.");
        else
            Console.WriteLine("Login credentials incorrect. User not validated.");
    }
}

Please advise. Thank you in advance

Answer 1

Changed your code a bit but this works:

    public class Encrypt
    {
        public HashedCredential SecurePassword(string password, string salt = "")
        {
            var saltValue = salt;
            if (string.IsNullOrEmpty(salt))
            {
                saltValue = GenertateSalt();
            }

            // Salt the password
            byte[] saltedPassword = Encoding.UTF8.GetBytes(saltValue + password);

            // Hash the salted password using SHA256
            SHA512Managed hashstring = new SHA512Managed();
            byte[] hash = hashstring.ComputeHash(saltedPassword);

            return new HashedCredential(saltValue, Convert.ToBase64String(hash));
        }

        private string GenertateSalt()
        {
            RNGCryptoServiceProvider csprng = new RNGCryptoServiceProvider();
            byte[] salt = new byte[32];
            csprng.GetBytes(salt);
            return Convert.ToBase64String(salt);
        }
    }

    public class HashedCredential
    {
        public string SaltValue { get; }
        public string HashValue { get; }

        public HashedCredential(string saltValue, string hashValue)
        {
            SaltValue = saltValue;
            HashValue = hashValue;
        }
    }

    [TestMethod]
    public void GenerateSalt()
    {
        // Arrange
        var sut = new Encrypt();

        // Act
        var result = sut.SecurePassword("Test");
        var resultB = sut.SecurePassword("Test", result.SaltValue);

        // Assert
        Console.WriteLine($"resultA:'{result.HashValue}'");
        Console.WriteLine($"resultB:'{resultB.HashValue}'");

        Assert.AreEqual(result.HashValue, resultB.HashValue);
    }