views:

44

answers:

1

I'm currently building a couple of ASP.NET MVC 2 sites, and am wondering what my options are for salting a password. With my PHP work, I usually just obtained the timestamp of when a user registered, then appended it to the end of their password string before using SHA1 to hash the entire thing. My instinct is that this approach may not be sufficient.

I'm pretty new to user administration with ASP.NET anyway, so I figure it would be in my best interest to get started with best practices from the beginning. I know that ASP.NET web forms have built-in user administration available, but am unsure about MVC.

+2  A: 

The only point of a SALT is to prevent rainbow attacks, where multiple users have the same hash for their password, so reversing one password successfully means you also know it's the password for everybody else with the same hash. Even a single-digit salt will prevent that, since two users with the same password will have different hashes if they have different salts.

As long as the salt is something that won't change, and that is different for every user, any value will work well. Timestamp of their registration, provided you don't update that field (which would invalidate their password hash and prevent their login) is a fine choice.

rwmnau
Thanks for the explanation. I always tend to doubt myself when it comes to things like this, so it's nice to know I was on the right track.
kevinmajor1