|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Preferred method of hashing salted passwordHi,
I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN nugget on storing passwords [1]. The thing is, it left me hanging at the end. Should I be using this new class or should I be using SHA256 to hash a concatenation of a user's password with a salt generated by means of an RNGCryptoServiceProvider. Also, if I choose the second method, is there tangible benefit to creating a random length salt, as observed here [2]? If anyone has the answers to these questions and wouldn't mind sharing them, I'd really appreciate it. Many thanks, Jono [1] http://www.microsoft.com/uk/msdn/events/nuggets.aspx [2] http://www.obviex.com/samples/hash.aspx use the keyed hash classes
Show quoteHide quote "Jono" wrote: > Hi, > I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN > nugget on storing passwords [1]. The thing is, it left me hanging at > the end. Should I be using this new class or should I be using SHA256 > to hash a concatenation of a user's password with a salt generated by > means of an RNGCryptoServiceProvider. Also, if I choose the second > method, is there tangible benefit to creating a random length salt, as > observed here [2]? If anyone has the answers to these questions and > wouldn't mind sharing them, I'd really appreciate it. > Many thanks, > Jono > > [1] http://www.microsoft.com/uk/msdn/events/nuggets.aspx > [2] http://www.obviex.com/samples/hash.aspx > > Hi,
well - i am a little biased :)) But you should use the Rfc2898 class which gives you the additional benefit of iterations. 16 bytes lengths are enough. dominick www.leastprivilege.com Show quoteHide quote > Hi, > I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN > nugget on storing passwords [1]. The thing is, it left me hanging at > the end. Should I be using this new class or should I be using SHA256 > to hash a concatenation of a user's password with a salt generated by > means of an RNGCryptoServiceProvider. Also, if I choose the second > method, is there tangible benefit to creating a random length salt, as > observed here [2]? If anyone has the answers to these questions and > wouldn't mind sharing them, I'd really appreciate it. > Many thanks, > Jono > [1] http://www.microsoft.com/uk/msdn/events/nuggets.aspx [2] > http://www.obviex.com/samples/hash.aspx > I appreciate your response Dominick.
I'll give the Rfc2898 class a try next time I'm given the task of storing user passwords. I'll admit, I had my doubts about the length of the hash, but if you reckon 16 bytes is enough (sounds like Gates' infamous quote) then I'll go along with it. Cheers, Jono Dominick Baier wrote: Show quoteHide quote > Hi, > > well - i am a little biased :)) > > But you should use the Rfc2898 class which gives you the additional benefit > of iterations. 16 bytes lengths are enough. > > > dominick > www.leastprivilege.com > > > Hi, > > I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN > > nugget on storing passwords [1]. The thing is, it left me hanging at > > the end. Should I be using this new class or should I be using SHA256 > > to hash a concatenation of a user's password with a salt generated by > > means of an RNGCryptoServiceProvider. Also, if I choose the second > > method, is there tangible benefit to creating a random length salt, as > > observed here [2]? If anyone has the answers to these questions and > > wouldn't mind sharing them, I'd really appreciate it. > > Many thanks, > > Jono > > [1] http://www.microsoft.com/uk/msdn/events/nuggets.aspx [2] > > http://www.obviex.com/samples/hash.aspx > > 
Other interesting topics
Advice requested : Storing SID String in SQL table
How to SELECT records based upon ASP.NET Roles CAS Policy issue Strong Name Sandboxed AppDomain and GAC Problem with plugins Verify syntax of an URl LDAP Authentication Security Library Classes GetAccess Control for Directory Is e-mail from Microsoft? AzMan Administration on Advanced Server 2000 |
|||||||||||||||||||||||
