Re: Preferred method of hashing salted password
- From: "Jono" <jono.pare@xxxxxxxxx>
- Date: 21 Aug 2006 06:31:58 -0700
I appreciate your response Dominick.
I'll give the Rfc2898 class a try next time I'm given the task of
storing user passwords. I'll admit, I had my doubts about the length of
the hash, but if you reckon 16 bytes is enough (sounds like Gates'
infamous quote) then I'll go along with it.
Cheers,
Jono
Dominick Baier wrote:
Hi,
well - i am a little biased :))
But you should use the Rfc2898 class which gives you the additional benefit
of iterations. 16 bytes lengths are enough.
dominick
www.leastprivilege.com
Hi,
I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN
nugget on storing passwords [1]. The thing is, it left me hanging at
the end. Should I be using this new class or should I be using SHA256
to hash a concatenation of a user's password with a salt generated by
means of an RNGCryptoServiceProvider. Also, if I choose the second
method, is there tangible benefit to creating a random length salt, as
observed here [2]? If anyone has the answers to these questions and
wouldn't mind sharing them, I'd really appreciate it.
Many thanks,
Jono
[1] http://www.microsoft.com/uk/msdn/events/nuggets.aspx [2]
http://www.obviex.com/samples/hash.aspx
.
- References:
- Preferred method of hashing salted password
- From: Jono
- Re: Preferred method of hashing salted password
- From: Dominick Baier
- Preferred method of hashing salted password
- Prev by Date: Re: password salting
- Next by Date: Re: How to SELECT records based upon ASP.NET Roles
- Previous by thread: Re: Preferred method of hashing salted password
- Next by thread: Re: Domain isolation question.
- Index(es):
