Geek Answers Handbook

Is this a secure way to hashed a password?

Could you tell me if the following method is a safe hashing of the password to store in the database:

public string CreateStrongHash(string textToHash) { byte[] salt =System.Text.Encoding.ASCII.GetBytes("TeStSaLt"); Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(textToHash, salt, 1000); var encryptor = SHA512.Create(); var hash = encryptor.ComputeHash(k1.GetBytes(16)); StringBuilder sb = new StringBuilder(); for (int i = 0; i < hash.Length; i++) { sb.Append(hash[i].ToString("x2")); } return sb.ToString(); }

Thank you very much in advance.

+7
source share
2 answers

You are using PBKDF2-SHA1, which is decent but not big. Bcrypt is a little better, and scrypt is even stronger. But since .net already includes a built-in implementation of PBKDF2, this is an acceptable choice.

The biggest mistake is that you did not get the point in salt. The salt must be unique to each user. The standard practice is simply to create a random value of at least 64 bits. Store it with the hash in the database.

If you want, you can divide the salt into two parts. One is stored in the database next to the user, which is different for each, and one common part is stored in another place. This improves the benefits of both.

I also recommend using a higher workfactor than 1000 . Find out which performance is acceptable and adjust it accordingly. I would not go below 10000, and in some situations (disk encryption) a million is also acceptable.

+7
source

It can be improved. You must use bcrypt first . Traditional hashes, such as SHA-512, can now be easily destroyed using GPUs nowadays. The problem is that these hashes are for speed, and this is the opposite of what you want in the password hash. Bcrypt is an example of an adaptive hash algorithm. It can be configured for a "long" time (but it still will not cause performance problems on your system) to make forcing difficult.

You also want to make salts unique for each user.

For more information on how to use hash passwords safely, see this question .

+5
source

More articles:


All Articles