views:

1559

answers:

4

Could you please advise me some easy algorithm for hashing user password by MD5, but with salt for increasing reliability.

Now I have this one:

private static string GenerateHash(string value)
{
    var data = System.Text.Encoding.ASCII.GetBytes(value);
    data = System.Security.Cryptography.MD5.Create().ComputeHash(data);
    return Convert.ToBase64String(data);
}
+3  A: 

Here's a sample. It handles MD5, SHA1, SHA256, SHA384, and SHA512.

Darin Dimitrov
+6  A: 

You can use the HMACMD5 class:

var hmacMD5 = new HMACMD5(salt);
var saltedHash = hmacMD5.ComputeHash(password);

Works with SHA-1, SHA256, SHA384, SHA512 and RIPEMD160 as well:

var hmacSHA1 = new HMACSHA1(salt);
var saltedHash = hmacSHA1.ComputeHash(password);

Both salt and password are expected as byte arrays.

If you have strings you'll have to convert them to bytes first:

var salt = System.Text.Encoding.UTF8.GetBytes("my salt");
var password = System.Text.Encoding.UTF8.GetBytes("my password");
dtb
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha1.hmacsha1.aspx HMACSHA1 constructor accepts not a salt but a key as single parameter
abatishchev
A HMAC is usually used to get the keyed hash of a message. If you replace the key with a salt and the message with your password, you can use the HMAC to get the salted hash of a password.
dtb
+1  A: 

Microsoft have done this work for you, but it takes a bit of digging. Install Web Service Extensions 3.0, and have a look at the Microsoft.Web.Services3.Security.Tokens.UsernameToken.ComputePasswordDigest function with Reflector.

I would like to post the source code to that function here, but I'm not sure if it's legal to do that. If anyone can reassure me then I will do so.

Christian Hayter
I suspect that the legality depends very much on where you are. In some jurisdictions it's illegal for you to even look at the decompiled code yourself, let alone post it for others to look at!
LukeH
KeeperOfTheSoul
+1  A: 

In addition to the HMACSHA1 class mentioned above, if you just need a quick salted hash, then you're already 95% of the way there:

private static string GenerateHash(string value, string salt)
{
    byte[] data = System.Text.Encoding.ASCII.GetBytes(salt + value);
    data = System.Security.Cryptography.MD5.Create().ComputeHash(data);
    return Convert.ToBase64String(data);
}

The real trick is storing the salt in a secure location, such as your machine.config.

Juliet
Could timestamp be a good salt? or discovery of such fact will compromise whole algorithm?
abatishchev
Time stamp would not work because when you go to validate the hash against new input, the time will be different.
Fantius
Unless you are storing the time stamp along with the digest, in which case it would work but would not be very secure.
Fantius
If the security of your implementation depends on keeping the salt secret then you're in big trouble!
LukeH