c# - Sanity Check: Salt and hashed passwords -


I had an idea about hashed passwords and salt values, because I'm new to hansing and encryption, so I thought I'll post it to you. Will it be more secure to generate a unique salt for each user account, then store the salt and hashed values ​​in the database? Or, whenever I've saved a password, keep a single salt value securely stored and reused?

For example, a user will use the password:

  "secret"  

My code will generate a salt value:

  "d1d0e3d4b3d1ed1598a4e77bb614750a2a175e"  

the results obtained to hash: < P> The palm results and salt will then be stored in the database in the user profile, when their account was created. Then, every time the users are logged on A new salt is generated, the password and salt are reunited and stored in the database.

Any thoughts? Like I said, this is a prudent investigation on my mind.

< / Div>

Collecting a unique salt per user is a good idea in my opinion to regenerate the salt / hash combination The time the user logs in, it is a little redundant as long as you have Eepiu cycle does not burn. I recommend using something like a class to generate a safe salt / hash combo:

A simple example of creating a password with a hash:

  String password = gatepad formconfig (); (Var deriveBytes = new Rfc2898 using derivatives (password, 32)) / 32-byte salt {byte] salt = deriveBytes.Salt; Byte [] hash = derivative bytes.getbites (32); // 32-byte hash SaveToDatabase (salt, hash); }  

and related to a password check:

  string password = GetPasswordFromInput (); Byte [] Salt = GetSaltFromDatabase (); Byte [Hash = GetHashFromDatabase (); (If deriveBytes.GetBytes (32) .equenceEqual (hash)) console using Var deriveBytes = new Rfc2898DeriveBytes (password, salt)). WriteLine ("Password matches"); And throw new exceptions ("bad password"); }  

Comments

Popular posts from this blog

c# - sqlDecimal to decimal clr stored procedure Unable to cast object of type 'System.Data.SqlTypes.SqlDecimal' to type 'System.IConvertible' -

Calling GetGUIThreadInfo from Outlook VBA -

Obfuscating Python code? -