What format is the output of HashPasswordForStoringInConfigFile () and how to store it the best?

Question

I'm using this function to generate a hash for a password and then store it in the database (SQL Server).

The code looks like this:

byte[] saltBytes = new byte[16];
new RNGCryptoServiceProvider ().GetBytes (saltBytes);
string salt = Convert.ToBase64String (saltBytes);
string saltedPasswordHash =
FormsAuthentication.HashPasswordForStoringInConfigFile (password + salt, FormsAuthPasswordFormat.SHA1.ToString ());

Now the question: in what format is the output of HashPasswordForStoringInConfigFile () - do I store it as char(length) or nchar(length)?

Or is there any other preferred way to store the hash, maybe not as a string?

Any input and semi-relevant comments are greatly appreciated.

Answer 1

SQL Server supports binary columns (binary(len), and varbinary(len)) designed to store binary data. You might want to consider using them. In that case, you could use classes such as System.Security.Cryptography.SHA512Managed directly, instead of HashPasswordForStoringInConfigFile

Answer 2

Since you are using C#, it might be worth considering using a BCrypt hashing solution. It's designed on the BCrypt encryption algorithm by the guys writing OpenBSD and is a very strong algorithm. Best part is that you don't have to worry about salts (but they are there) and you can make salt generation hard as time goes on.

BCrypt.net - Strong Password Hashing for .NET and Mono