In the past when dealing with passwords I've always stored a salt and a hashed password separately in my data store. Today I was looking to update some legacy code to use a RFC 2898 hash value. I came across the Crypto.Hash
methods from System.Web.Helpers
. It looks like these will do most of the heavy lifting for me. There are GenerateSalt()
, HashPassword()
, and VerifyHashedPassword()
methods. The HashPassword()
and VerifyHashedPassword()
methods don't take a salt value. The MSDN documentation for HashPassword()
method says:
"The format of the generated hash bytestream is {0x00, salt, subkey}, which is base-64 encoded before it is returned."
Do I need to worry about a salt? The documentation seems to say that a salt will be generated automatically and stored in the base-64 encoded value? Is this correct? All I need to store is the string returned from HashPassword()
?
All passwords need to be salted in order to hash them securely. In this case, however, you are correct. System.Web.Helpers.Crypto takes care of creating a salt for you. You don't need to create one. It is stored in the string returned by Crypto.HashPassword().
All you need to do is something like this.
using System.Web.Helpers;
public void SavePassword(string unhashedPassword)
{
string hashedPassword = Crypto.HashPassword(unhashedPassword);
//Save hashedPassword somewhere that you can retrieve it again.
//Don't save unhashedPassword! Just let it go.
}
public bool CheckPassword(string unhashedPassword)
{
string savedHashedPassword = //get hashedPassword from where you saved it
return Crypto.VerifyHashedPassword(savedHashedPassword, unhashedPassword)
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With