Geek Answers Handbook

Password hashing with ASP.NET MVC 3

Now I am trying to figure out the best way to hash the password for my ASP.NET MVC 3 application. From what I hear, it is useful to use this password and random salt, and then store the hashed password and salt together. My question is not that useless random salt? I mean the reason for password hashing, because if someone gets into your database, they don't have simple passwords, and salt makes it much harder to change the hash to get the password, but if I save the hash with the password, what's the point of salt (my knowledge of hashing is limited, so I could completely abandon my thinking).

My second question is which hashing method is best to use? I read that MD5 (which I always used) is very easy to crack. I heard that bcrypt / sha512 are pretty good. Which one should I use? I know that C # comes with sha512 hashing by default. From what I see, bcrypt is not included in the .NET library, are there any good libraries for C # and bcrypt?

+7
source share
6 answers

there is no need to store the salt in another place, you should always assume the salt known to the attacker, and its purpose is not to be an additional password !!!!

In .NET, this API will do everything you need, it will create a large crypto-salt, as well as HMACSHA512 hashing and key extension with byte replacement before each pass through AES encryption :)

http://sourceforge.net/projects/pwdtknet/

+10
source

SHA512 is a good choice for hashing in .net, and if you store the salt with a password, it is a little pointless (but it will take longer to โ€œdecryptโ€ it anyway), but you can store the salt somewhere else, so DB is not enough:

  • store salt only somewhere else
  • always use the same salt and, for example, copy it to code or save in the application settings
  • generates salt for each user from some other information, for example. MD5 user ID
  • generates salt for all users from some system settings, such as hostname or similar

UPDATE:
Since Mike has already stated that I am mistaken in the โ€œmeaninglessโ€ statement above. Even when the salt is known, it will display the Rainbow Table Attacks are useless (or much more unlikely), so you should always use the salt even if it is stored salt right next to the hash (for example, linux stores user passwords in a shadow file in the form of "$ id $ salt $ hashed ")!

+1
source

Salting will increase resistance against rainbow / dictionary attacks. Several security exploits that occurred this year were related to the fact that the web application database contained salt-free passwords and they were executed using md5. Thus, a simple rainbow attack created a password in a few seconds for several users who used horrible passwords.

To ensure user authentication with MVC 3, you really should use a framework for this kind of thing. Purchasing your own authentication provider can cause problems if you do not do it right.

Take a look at http://msdn.microsoft.com/en-us/library/ff398049%28v=VS.98%29.aspx and http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx . If you use the .NET membership system, you do not need to run a low-level database or password management. You simply put [Authorize] tags around controller actions that need to be authenticated and executed.

+1
source

Here's a good C # implementation for bcrypt:

http://bcrypt.codeplex.com/

+1
source

I always used the following approach for storing passwords

public static string MD5Hash(string value) { return Convert.ToBase64String(new MD5CryptoServiceProvider().ComputeHash(new UTF8Encoding().GetBytes(value))); }

There has never been a question whether such a hash can be restored to the original password.

-one
source

If they hacked into your security database to steal a hashed password from people, it is unlikely that they really need a password at this point. Most likely, they already have access to all the data in the database. An MD5 hash is probably suitable for an average website if it is something simple with data that is not valuable. Other more complex hashing methods will be good for data that is likely to be valuable.

-one
source

More articles:


All Articles