tags:

views:

474

answers:

3
+8  Q: 

Salting and Hashing Passwords using Linq To SQL

I need to salt and hash some passwords so that I can store them safely in a database. Do you have any advice or ideas as to how best to do this using Linq To SQL?

+23  A: 

LINQ to SQL doesn't have much relevance in this case. You could use any mechanism you want to, because you won't be doing hashing and salting in SQL.

The steps to save a password would go along these lines:

  1. Receive the password as cleartext, along with the user's ID.
  2. Generate (and remember) the salt.
  3. Combine the salt with the password text, e.g. prepend it or append it.
  4. Hash the resulting text with your hash function
  5. Store the user ID, the hash and the salt in your DB.

The steps to verify a password would go along these lines:

  1. Receive the password as cleartext, along with the user's ID.
  2. Retrieve the hashed and the salt from the DB for the supplied user ID.
  3. Combine the salt with the supplied password text.
  4. Hash the resulting text with your hash function.
  5. Compare the hash from the function with the hash retrieved from the DB.
  6. If they are equal, the supplied password was correct.
Vojislav Stojkovic  2009-02-24 17:08:44
Is it common to generate and store salt for each password, as opposed to having one common salt to combine with each received password? Granted, it "seems" more secure, but since the salt is just stored in the database anyway... Just wondering.
JMD  2009-02-24 17:24:31
Yes, definitely per-user salts - consider an attacker with the hashed password database. With per-user salt each guessed password he hashes can only be compared against one entry, with one salt, he can compare it against all the hashed passwords.
Douglas Leeder  2009-02-24 17:50:40
rainbow tables FTW, the more salt the better
ShuggyCoUk  2009-02-24 18:18:42
Thanks so much Vojislav,now i put in action your advices hoping that's all right!Good Work.
JayJay  2009-02-25 03:10:28
This should be its own post somewhere. Great explanation.
rik.the.vik  2009-10-22 01:07:41
+1  A: 

Basically as @Vojislav says.

You might want to look at bcrypt for the hashing - it's reputed to be very good.

Douglas Leeder  2009-02-24 17:54:49
+3  A: 

Since you are using the .NET and C#, use can use the System.Security.Cryptography.SHA512Managed namespace for generating the salt value and password hash

Michael Kniskern  2009-02-24 18:11:59

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?