I may change to sha256 in the future but his is how we verify passwords atm.
public static bool Verify(string password, string hashedPassword)
{
//check hash
if (!IsHashSupported(hashedPassword))
{
throw new NotSupportedException("The hashtype is not supported");
}
//extract iteration and Base64 string
var splittedHashString = hashedPassword.Replace("$SPHASH$V1$", "").Split('$');
var iterations = int.Parse(splittedHashString[0]);
var base64Hash = splittedHashString[1];
//get hashbytes
var hashBytes = Convert.FromBase64String(base64Hash);
//get salt
var salt = new byte[SaltSize];
Array.Copy(hashBytes, 0, salt, 0, SaltSize);
//create hash with given salt
var pbkdf2 = new Rfc2898DeriveBytes(password, salt, iterations);
byte[] hash = pbkdf2.GetBytes(HashSize);
//get result
for (var i = 0; i < HashSize; i++)
{
if (hashBytes[i + SaltSize] != hash[i])
{
return false;
}
}
return true;
}
Thanks for the info, going to need to research some of those functions LOL.
Unless you perhaps might happen to have a snippet of Jscript to just create the hashed value given original user entered password by chance?
… Of course our JScript environment does not have support for cryptography functions but maybe doing it by importing .net assemblies might be possible. Well I don’t know if it really worth for the effort.
Think your going to win in all honestly but you know what comes next now;
Can we not get a secondary pin field for users ‘Quick Pin’ for RFID/MSR, either pins work,1 out of two required, both in same unique pool amongst all users?
@RickH obviously would like something like this LOL
function verifyPassword(p,h){
var lib = host.lib('mscorlib');
var asm = lib.System.Reflection.Assembly.LoadFrom('C:\\Program Files (x86)\\SambaPOS5\\Samba.Infrastructure.dll');
var type = asm.GetType('Samba.Infrastructure.Helpers.SecurePasswordHasher');
var method = type.GetMethod('Verify');
var arr = host.newArr(2);
arr[0]=p;
arr[1]=h;
var result = method.Invoke(null, arr);
return result;
}
Forget that, answered my own question, so would need to call all users and loop this function inputting entered password each time with the looped hash from each user.
Awesome, thanks for that emre.
Will sort a tutorial when implimented.
Although @emre have just had a thought, in future I would ideally need a way to generate the hash :-/. Had planned to intergrate samba with our guestlink site, not just for loyalty members but also as a way of syncing users between all our properties as we share/move staff arround by having the users also sync through the site.
Would the hash process be specific to an install or are methods generic enough they could be generated in PHP or other web based script as was going to make the process for creating users on the site and script samba to sync with the site each morning.
Worst case these users wouldn’t have API access in samba and they are being treated as pins so could store in a decodable hash on site and generate within samba.
Do you have the method for creating the hash by chance? Then would generate it in samba in the sync script.
Hey noticed you entity screen on this thread and saw that you have employment status listed… how do you use this I’m assuming it’s active or inactive is it linked to a state?
I did a cheap hack for this using rules and actions. Downside is you need an action for each user. I suppose one could write a script to pull the PIN from db.