Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Hashing Passwords With ASP.NET MVC 3

Tags:

c#

passwords

password-protection

hash

asp.net-mvc-3

I am right now in the process of trying to figure out the best way of hashing the password for my ASP.NET MVC 3 application. From what I hear, it is good to use the given password and a random salt and then store the hashed password and salt together. My question is won't that make the random salt pointless? I mean the reason to hash a password is because if someone get into your database, they don't have the plain passwords and the salt make it much much harder to reverse the hash to get the password but but if I store the hash with the password, what is the point of the salt (my knowledge on hashing is every limited so I could be completely off base with my thinking).

My second question is what hashing method is the best one to use? I read that MD5 (which is what I have always used) is very simple to crack. I hear the bcrypt/sha512 are pretty good. Which one should use? I know that C# by default comes with the sha512 hashing. From what I can see, bcrypt is not included in the .NET library, are there any good libraries for C# and bcrypt?

like image 781
ryanzec Avatar asked Jun 18 '11 15:06

ryanzec

3 Answers

there is no need to store the salt in a different location, you should always assume salt in known by an attacker anyway and its purpose is not to be an extra password!!!!

In .NET this API will do everything you need, it will create big crypto random salt as well as HMACSHA512 hashing and key stretching via byte swapping before each AES encryption pass :)

http://sourceforge.net/projects/pwdtknet/

like image 189
hdizzle Avatar answered Nov 08 '22 16:11

hdizzle

Salting will increase the resistance against a rainbow/dictionary attack. A few security exploits that have occurred this year were because the web application's database contained passwords without a salt and they were done with md5. So a simple rainbow attack produced the password within seconds for a few users that used terrible passwords.

For providing user authentication with MVC 3, you should really use the framework for this sort of thing. Coming up with your own custom authentication provider could cause problems if you don't do it right.

Take a look at http://msdn.microsoft.com/en-us/library/ff398049%28v=VS.98%29.aspx and http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx. If you use the .NET membership system, you don't need to do any low level database or password management. You just put the [Authorize] tags around the controller actions that need to be auth'd and your done.

like image 41
mattypiper Avatar answered Nov 08 '22 16:11

mattypiper

Here's a nice C# implementation of bcrypt:

http://bcrypt.codeplex.com/

like image 1
gram Avatar answered Nov 08 '22 15:11

gram
Sign in to Comment

Related questions

How to send email to gmail using SMTPclient in C#?
Can I get log4net to append the real class name and not the generated closure class name?
InvalidOperationException: Collection was modified - although locking the collection
C# WCF plugin design and implementation
Extracting tokens from a string with regular expressions in .NET
INotifyCollectionChanged: Added item does not appear at given index '0'
A look inside the EqualsHelper method in the .NET framework
Triggers in XAML
Casting to Generic base class failing
How to detect Pivot View using MVVM in WP7?
How to paint only DataGridView's cell background not its content?
How to create t-sql to load next n-amount of records?
How to split a string into two parts using a character separator in c#?
adding quotes around date and time, c#
How to Make a PictureBox Scrollable [duplicate]
How to construct UDP packet but not send it
Load XML File from Project Directory
Can I use Visual Studio with Unity?
How to bind EF Code First DbContext to an Asp.Net DataSource?
FreePascal 64 bit DLL and calling C# Application

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!