Share via

passing passwords from xamarin appto asp.net core

Seth Isaacks 51 Reputation points
2023-06-09T01:07:23.57+00:00

Hello

I have an Xamarin application and currently I have created a asp.net core web api. I am using basic authentication. However that takes the userName:PassWord encodes it and converts to base64string and sends across the wire. That does not seem very secure.

I looked into other encryptions for hash and salt the password. This led me down a path of even more confusion. If on the server I store the Hash and Salt, on when sending the password to the server I send over the salted password....then compare that by salting the hash in the server...how does that really prevent a man in the middle attack? I mean if they know the hash...wouldn't they then be able to use that to get in?

So I thought I would use identity core....which automatically hashes the password for you. However every example I have found, the password is being sent in plain text to server. Which seems odd to me. But if I were to hash the password on the client, send it over to create an account, then identity frame work hashes it again...I would not beable to login in again....because the hash would be different. I am so confused as to how to handle this.

I have google and google and googled and read and read and read but I cannot find an answer. I think I am missing something or not understanding. Can you help answer this question? What am I missing? What am I doing wrong?

Developer technologies | .NET | Xamarin
Developer technologies | ASP.NET | ASP.NET Core
Developer technologies | .NET | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 11,210 Reputation points Volunteer Moderator
    2024-02-02T03:52:22.45+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Here are some recommendations to help you handle passwords more securely:

    1. HTTPS (TLS): Ensure that your communication between the Xamarin application and the ASP.NET Core web API is secured using HTTPS (TLS).
    2. OAuth 2.0 with Authorization Code Flow: If possible, use OAuth 2.0 with the Authorization Code Flow. This involves obtaining an authorization code through a secure redirection, exchanging it for an access token, and then using the access token for subsequent API requests.
    3. Identity Framework and Token Authentication: If you are using ASP.NET Core Identity, consider utilizing token-based authentication. This involves generating and validating tokens on the server side. Identity Framework can handle password hashing and validation for you. Client-Side Hashing: If you choose to hash passwords on the client side, ensure that the hashed password is transmitted securely to the server over HTTPS. The server then validates the hashed password against the stored hashed password.
    4. Multi-Factor Authentication (MFA): Consider implementing multi-factor authentication to enhance security.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.