Preferred method of hashing salted password

Preferred method of hashing salted password

Post by Jono » Sun, 20 Aug 2006 00:39:49


Hi,
I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN
nugget on storing passwords [1]. The thing is, it left me *** at
the end. Should I be using this new class or should I be using SHA256
to hash a concatenation of a user's password with a salt generated by
means of an RNGCryptoServiceProvider. Also, if I choose the second
method, is there tangible benefit to creating a random length salt, as
observed here [2]? If anyone has the answers to these questions and
wouldn't mind sharing them, I'd really appreciate it.
Many thanks,
Jono

[1] http://www.yqcomputer.com/
[2] http://www.yqcomputer.com/
 
 
 

Preferred method of hashing salted password

Post by c2VyZ2UgY2 » Sun, 20 Aug 2006 01:31:03

use the keyed hash classes

 
 
 

Preferred method of hashing salted password

Post by Dominick B » Sun, 20 Aug 2006 19:52:23

Hi,

well - i am a little biased :))

But you should use the Rfc2898 class which gives you the additional benefit
of iterations. 16 bytes lengths are enough.


dominick
www.leastprivilege.com
 
 
 

Preferred method of hashing salted password

Post by Jono » Tue, 22 Aug 2006 22:31:58

I appreciate your response Dominick.
I'll give the Rfc2898 class a try next time I'm given the task of
storing user passwords. I'll admit, I had my doubts about the length of
the hash, but if you reckon 16 bytes is enough (sounds like Gates'
infamous quote) then I'll go along with it.
Cheers,
Jono