System.Web.Helpers.Crypto - Where's the salt?

Question

In the past when dealing with passwords I've always stored a salt and a hashed password separately in my data store. Today I was looking to update some legacy code to use a RFC 2898 hash value. I came across the Crypto.Hash methods from System.Web.Helpers. It looks like these will do most of the heavy lifting for me. There are GenerateSalt(), HashPassword(), and VerifyHashedPassword() methods. The HashPassword() and VerifyHashedPassword() methods don't take a salt value. The MSDN documentation for HashPassword() method says:

"The format of the generated hash bytestream is {0x00, salt, subkey}, which is base-64 encoded before it is returned."

Do I need to worry about a salt? The documentation seems to say that a salt will be generated automatically and stored in the base-64 encoded value? Is this correct? All I need to store is the string returned from HashPassword()?

Answer 1

Answer

All passwords need to be salted in order to hash them securely. In this case, however, you are correct. System.Web.Helpers.Crypto takes care of creating a salt for you. You don't need to create one. It is stored in the string returned by Crypto.HashPassword().

Example

All you need to do is something like this.

using System.Web.Helpers;

public void SavePassword(string unhashedPassword)
{
    string hashedPassword = Crypto.HashPassword(unhashedPassword);
    //Save hashedPassword somewhere that you can retrieve it again.
    //Don't save unhashedPassword! Just let it go.
}

public bool CheckPassword(string unhashedPassword)
{
    string savedHashedPassword = //get hashedPassword from where you saved it

    return Crypto.VerifyHashedPassword(savedHashedPassword, unhashedPassword)
}

More Information

• If you would like to see the source code for the Crypto class you can view it here.
• And here is a good blog on the class and some of the ideas behind it.