What a simple and reliable method of password hashing ASP.NET MVC?

Need a simple and reliable way to hash the password in the controller AccountCOntroller
It looks like this:
public class AccountController : Controller {

 private IAuthProvider authProvider;
 private IUserRepository repository;

 public AccountController(IAuthProvider auth, IUserRepository repo) {
 authProvider = auth;
 repository = repo;
}

 public ViewResult Login() {
 return View();
}

 public ViewResult Register() {
 return View();
}

[HttpPost]
 public ActionResult Login(LoginViewModel model) {

 if (ModelState.IsValid) {

 User user = repository.Users().FirstOrDefault(m => m.Login == model.Login && m.Password == model.Password);
 if(user != null) {
authProvider.Authenticate(model.Login);
 return RedirectToAction("Index", "Document");
 } else {
 ModelState.AddModelError("", "Invalid username or password");
}

}
 return View(model);
}

[HttpPost]
 public ActionResult Register(RegisterViewModel model) {



 if (ModelState.IsValid) {

 User user = repository.Users().FirstOrDefault(m => m.Login == model.Login);
 if (user == null) {
 repository.Add(new User { Login = model.Login, Password = model.Password });

 user = repository.Users().Where(m => m.Login == model.Login && m.Password == model.Password).FirstOrDefault();
 if (user != null) {
authProvider.Authenticate(model.Login);
 return RedirectToAction("Index", "Document");
}

 } else {
 ModelState.AddModelError("", "a User with such login already there");
}

}

 return View(model);
}

 public ActionResult ExitToStore() {
authProvider.Exit();
 return RedirectToAction("Login");
}

 }
June 14th 19 at 20:04
3 answers
June 14th 19 at 20:06
To hash the password it is best to use BCrypt (example).
If you do not like BCrypt, you can use SHA512 - he is already in .NET Framework.
June 14th 19 at 20:08
About architecture - drag the repository to the controller layer is the level of the second quarter of the first class.
Ideally, you should have a bl that will test user, issue him a session cookie or some sign the authorization and return the result of their work. In the case of success redirect somewhere.
Regarding hash - SHA512 and some algorithm salting fun(don't just sculpt salt on the side).
Regarding the level at which will be the hash - it all depends on the authorization. In your case smelled of EF and probably should be considered a hash-level access the repository.
If you use hranilki - have to drag without touching the password to the database and count the hash there. Otherwise there will be the logic of fetching the entire database of users, and then finding the right, which is not the fact that you are
Well, no one said I was on some higher level))
Detail as possible about the levels(bl)? Or where to read... - rebekah.Schmi commented on June 14th 19 at 20:11
Presentation(UI)->Business Logic(BL)->Data Access Layer(DAL)->Storage(DB)
Sometimes BL is still going a little arrow in the other direction - Services. For example, a service for sending mail, and interaction with any external API - glenna_Hauck commented on June 14th 19 at 20:14
June 14th 19 at 20:10
Why not use a standard class .net : MD5?

Use is very simple:

using System;
 using System.Text;
 using System.Security.Cryptography;
 class Program
{

 static void Main(string[] args)
{
 string pass = "123";

 using(MD5 md5 = MD5.Create())
{
 string hash = GetMD5(md5, pass);

Console.Write(hash);

Console.ReadKey();
}
}

 static string GetMD5(MD5 md5, string pass)
{
 byte[] data = md5.ComputeHash(Encoding.UTF8.GetBytes(pass));

 StringBuilder sb = new StringBuilder();

 for(int i =0; i<data.length; i++) { sb.append(data[i].tostring("x2")); } return sb.tostring(); }< code></data.length;>
MD5 is obsolete, unreliable, modern ways are being snapped like seeds. MD5 salt a little better, but still too weak. - rebekah.Schmi commented on June 14th 19 at 20:13

Find more questions by tags CryptographyASP.NETC#Web Development