tags:

views:

44

answers:

1
+2  Q: 

Salting a password - are there better options than using a timestamp?

I'm currently building a couple of ASP.NET MVC 2 sites, and am wondering what my options are for salting a password. With my PHP work, I usually just obtained the timestamp of when a user registered, then appended it to the end of their password string before using SHA1 to hash the entire thing. My instinct is that this approach may not be sufficient.

I'm pretty new to user administration with ASP.NET anyway, so I figure it would be in my best interest to get started with best practices from the beginning. I know that ASP.NET web forms have built-in user administration available, but am unsure about MVC.

+2  A: 

The only point of a SALT is to prevent rainbow attacks, where multiple users have the same hash for their password, so reversing one password successfully means you also know it's the password for everybody else with the same hash. Even a single-digit salt will prevent that, since two users with the same password will have different hashes if they have different salts.

As long as the salt is something that won't change, and that is different for every user, any value will work well. Timestamp of their registration, provided you don't update that field (which would invalidate their password hash and prevent their login) is a fine choice.

rwmnau  2010-08-18 20:35:04
Thanks for the explanation. I always tend to doubt myself when it comes to things like this, so it's nice to know I was on the right track.
kevinmajor1  2010-08-18 20:50:23

related questions

How would you add salt to your existing password hashes?
is a GUID a good salt? is my register/login process got any flaw?
Password hashing, salt and storage of hashed values
Are hashed and salted passwords secure against dictionary attacks?
Mysql SHA salt
Is my authentication encryption any good?
Salting a C# MD5 ComputeHash on a stream
Storing salt in code instead of database
Salts and Passwords - prefix or postfix
Password hash and salting - is this a good method?
Encrypted passwords of not-encrypted passwords user base
how do I create a mySQL user with hash('sha256', $salt . $password)?
Salting Your Password: Best Practices?
PHP Sessions + Useragent with salt
What is the difference between a 'character' and an 'octet'?
Why do web applications insist on defining strict password rules?
Need some help understanding password salt
Client Side MD5 Hash with Time Salt
How best to generate a random salt for a Web Site?
What is the easiest way to create and compare a salted password in .NET?
Do I need to store the salt with bcrypt?
Why is a password salt called a "salt"?
How would you implement salted passwords in Tomcat 5.5
What is the optimal length for user password salt?
What is the salt in Enterprise Library HashProvider ? (SaltEnabled key)