Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is this a secure way to hash a password?

Tags:

c#

security

hash

Could you please tell me if the following is a good way to securely hash a password to be stored in a database:

    public string CreateStrongHash(string textToHash) {

        byte[] salt =System.Text.Encoding.ASCII.GetBytes("TeStSaLt");

        Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(textToHash, salt, 1000);
        var encryptor = SHA512.Create();
        var hash = encryptor.ComputeHash(k1.GetBytes(16));

        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < hash.Length; i++) {
            sb.Append(hash[i].ToString("x2"));
        }

        return sb.ToString();

    }

Many Thanks in advance.

like image 360
ScubaSteve2012 Avatar asked Aug 31 '12 16:08

ScubaSteve2012

2 Answers

You use PBKDF2-SHA1, which is decent but not great. Bcrypt is a bit better, and scrypt is even stronger. But since .net already includes a built in PBKDF2 implementation, that's an acceptable choice.

Your biggest mistake is that you didn't get the point of a salt. A salt should be unique for each user. It's standard practice to simply create a random value of at least 64 bits. Store it together with the hash in the database.

If you want to, you can split the salt into two parts. One stored in the database alongside the user, which is different for each, and one shared part stored elsewhere. This gains the the advantages of both.

I also recommend using a higher workfactor than 1000. Figure out what performance is acceptable, and adjust accordingly. I wouldn't go below 10000, and in some situations(disk encryption) a million is acceptable too.

like image 167
CodesInChaos Avatar answered Oct 11 '22 01:10

CodesInChaos

It can be improved. First, you should use bcrypt instead. Traditional hashes like SHA-512 can be broken fairly easily with GPUs now-a-days. The problem is that these hashes are designed for speed, and this is the opposite of what you want in a password hash. Bcrypt is an example of an adaptive hash algorithm. It can be configured to take a "long" time (but still won't cause performance issues in your system) to make brute-forcing diffiult.

You also want to make the salts unique for each user.

For more information on how to securely hash passwords, see this question.

like image 34
Oleksi Avatar answered Oct 11 '22 01:10

Oleksi
Sign in to Comment

Related questions

InvalidOperationException The connection was not closed. The connection's current state is open
Garbage collection fails to reclaim BitmapImage?
what is the WinRT equivalent of InputBindings?
foreach and linq query - need help trying to understand please
5x Performance with Parallel.For... on a Dual Core?
Retrieve specific days of the week within a given range from Linq?
How to copy a List<T> without cloning
Show a new form when click a button
How use BufferList with SocketAsyncEventArgs and not get SocketError InvalidArgument?
GetChanges() Or RowState to get all changes of a datatable?
How to hide a sheet in Excel using OpenXML C#?
how to make an executable version of a WPF Kinect Application?
How To Center Align the Title Bar text In Windows Form?
C# jitter improvements in future framework versions
Evaluation order of named parameters [duplicate]
Repository pattern vs DTO pattern approach
Not able to use oData query options
Best practice for editing MVC3 auto generated code?
Randomly shuffle a List [duplicate]
How to refresh page using c# int every five minutes?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!