I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN
nugget on storing passwords . The thing is, it left me *** at
the end. Should I be using this new class or should I be using SHA256
to hash a concatenation of a user's password with a salt generated by
means of an RNGCryptoServiceProvider. Also, if I choose the second
method, is there tangible benefit to creating a random length salt, as
observed here ? If anyone has the answers to these questions and
wouldn't mind sharing them, I'd really appreciate it.