How to easily salt a password in a Windows C # form application?

Question

How to easily salt a password in a Windows C # form application?

How can I easily salt the password from Textbox.Text?

Is there any built-in wizardry in the .NET platform?

+7

c # .net passwords winforms salt

Sergio tapia Jun 17 '10 at 15:29

source share

5 answers

I assume that you are asking for a username along with a password?

On some systems, the username is used as a salt. (And I think this is normal.) Otherwise, you will need to store the salt somewhere and get it before hashing (in the case of a randomly generated salt) or have an algorithm that returns the same salt for the same user (and not better than just using a simple username).

Personally use the following code:

 byte[] GetSaltedPasswordHash(string username, string password) { byte[] pwdBytes = Encoding.UTF8.GetBytes(password); // byte[] salt = BitConverter.GetBytes(userId); byte[] salt = Encoding.UTF8.GetBytes(username); byte[] saltedPassword = new byte[pwdBytes.Length + salt.Length]; Buffer.BlockCopy(pwdBytes, 0, saltedPassword, 0, pwdBytes.Length); Buffer.BlockCopy(salt, 0, saltedPassword, pwdBytes.Length, salt.Length); SHA1 sha = SHA1.Create(); return sha.ComputeHash(saltedPassword); }

+4

Regent Jun 17 '10 at 16:48

source share

Here's a good article and one more (which is more suited to ASP.NET applications).

+2

Darin Dimitrov Jun 17 '10 at 15:33

source share

No magic, salt is just some random text added to a password to defeat verbal attacks - create your own drowsiness.

0

Adam houldsworth Jun 17 '10 at 15:37

source share

Take a look at hmac features like hmacdm5 , hmacsha1 or hmacsha256 .
Take a look at the System.Security.Cryptography namespace .

0

tanascius Jun 17 '10 at 15:37

source share

Randolpho · Accepted Answer · 2010-06-17T15:44:16+0000

We recently had a great discussion about best practices for using a password, you could find great ideas there:

Salting Your Password: Best Practices?

I found that one of the simplest, although fairly safe, is to use a GUID as your salt. It is random and long enough. It works best if you enable GUID string formatting (the characters '{' and '-'), but you don't need this.

Remember that salt should be unique for each cell, and this is the most secure, you should use a cryptographically secure random number generator. Remember also that you must store the salt along with the password, otherwise you will not be able to check the plaintext version against the hash version! You can store salt that is not encrypted if you want; Usually I put it in a field in the same table as the password. The purpose of salt is not to remain hidden, it is to make complex rainbow tables (hopefully impossible) for timely calculation.

Here is a quick snippet that will work in C #:

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] buffer = new byte[1024]; rng.GetBytes(buffer); string salt = BitConverter.ToString(buffer); var saltedPassword = password + salt;

or...

 var salt = Guid.NewGuid().ToString(); var saltedPassword = password + salt;

How to easily salt a password in a Windows C # form application?

More articles: