aspnet2securityfaq0080

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to
HomePage
ASPNET2SecurityFAQs

Question: How do I protect passwords?

Answer:

You should store passwords in a non-reversible hashed format. Generate the hash from a combination of the password and a random salt value. Use an algorithm such as SHA256.
The salt value helps to slow an attacker perform a dictionary attack should your credential store be compromised, giving you additional time to detect and react to the compromise.
Here is how you create non reversible hashes with salt for your user passwords.
* Generate a random salt value by using the following code.
		 byte[] salt = new byte[32];
		 [System.Security.Cryptography.RNGCryptoServiceProvider.Create().GetBytes(salt);]
* Append the salt to the password.
		 // Convert the plain string password into bytes
		 byte[] [plainTextBytes] = System.Text [UnicodeEncoding.Unicode.GetBytes(plainText);]
		 // Append salt to password before hashing
		 byte[] combinedBytes = new byte[plainTextBytes.Length + salt.Length];
		 [System.Buffer.BlockCopy(plainTextBytes,] 0, combinedBytes, 0, [plainTextBytes.Length);]
		 [System.Buffer.BlockCopy(salt,] 0, combinedBytes, [plainTextBytes.Length,] salt.Length);
* Hash the combined password and salt by using the following code.
		 // Create hash for the password+salt
		 [System.Security.Cryptography.HashAlgorithm] hashAlgo = new   System.Security.Cryptography.SHA256Managed();
		 byte[] hash = [hashAlgo.ComputeHash(combinedBytes);]
* Append the salt to the resultant hash.
		 // Append the salt to the hash 
		 byte[] [hashPlusSalt] = new byte[hash.Length + salt.Length];
		 [System.Buffer.BlockCopy(hash,] 0, [hashPlusSalt,] 0, hash.Length);
		 [System.Buffer.BlockCopy(salt,] 0, [hashPlusSalt,] hash.Length, salt.Length);
* Store the result in your user store database.
This approach means you do not need to store the salt separately. To verify a password, you extract the salt from the stored combination of the hash and salt value and then recomputed the hash using the salt value and the plaintext password value obtained from the user.

Return to
HomePage
ASPNET2SecurityFAQs
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities