I need to salt and hash some passwords so that I can store them safely in a database. Do you have any advice or ideas as to how best to do this using Linq To SQL?
+23
A:
LINQ to SQL doesn't have much relevance in this case. You could use any mechanism you want to, because you won't be doing hashing and salting in SQL.
The steps to save a password would go along these lines:
- Receive the password as cleartext, along with the user's ID.
- Generate (and remember) the salt.
- Combine the salt with the password text, e.g. prepend it or append it.
- Hash the resulting text with your hash function
- Store the user ID, the hash and the salt in your DB.
The steps to verify a password would go along these lines:
- Receive the password as cleartext, along with the user's ID.
- Retrieve the hashed and the salt from the DB for the supplied user ID.
- Combine the salt with the supplied password text.
- Hash the resulting text with your hash function.
- Compare the hash from the function with the hash retrieved from the DB.
- If they are equal, the supplied password was correct.
Vojislav Stojkovic
2009-02-24 17:08:44
Is it common to generate and store salt for each password, as opposed to having one common salt to combine with each received password? Granted, it "seems" more secure, but since the salt is just stored in the database anyway... Just wondering.
JMD
2009-02-24 17:24:31
Yes, definitely per-user salts - consider an attacker with the hashed password database. With per-user salt each guessed password he hashes can only be compared against one entry, with one salt, he can compare it against all the hashed passwords.
Douglas Leeder
2009-02-24 17:50:40
rainbow tables FTW, the more salt the better
ShuggyCoUk
2009-02-24 18:18:42
Thanks so much Vojislav,now i put in action your advices hoping that's all right!Good Work.
JayJay
2009-02-25 03:10:28
This should be its own post somewhere. Great explanation.
rik.the.vik
2009-10-22 01:07:41
+1
A:
Basically as @Vojislav says.
You might want to look at bcrypt for the hashing - it's reputed to be very good.
Douglas Leeder
2009-02-24 17:54:49
+3
A:
Since you are using the .NET and C#, use can use the System.Security.Cryptography.SHA512Managed namespace for generating the salt value and password hash
Michael Kniskern
2009-02-24 18:11:59