Season Your Hash - Adding Salt
Hashing your passwords is not enough, there are a number of hash databases which store huge numbers of hash values which act as a reverse lookup revealing your passwords true identity.
In the my first post on the subject, I explained how to hash passwords for storage in a database. Here is the revised method which includes adding "Salt" to your value in to protect your password hash from reverse lookup.
/// <summary>
/// <para>Get a hash value for the string passed</para>
/// </summary>
public static string Hash(string value, bool base64Encode) {
var service = new MD5CryptoServiceProvider();
var bytes = service.ComputeHash(
Encoding.Default.GetBytes(
string.Concat(value, Settings.Default.SecurityHashSalt)));
return base64Encode
? Convert.ToBase64String(bytes)
: Encoding.Default.GetString(bytes);
}
Putting the "Salt" into the .Config of you application does mean that your application hosting must be secure, you could hard-code it into your application, but even then your assembly can be decompiled.
Anyhow, I use a GUID for my salt, adding a few random chars of my own just for good luck.
Tags Development
Security
Post a Note
| < | February 2012 | |||||
|---|---|---|---|---|---|---|
| S | M | T | W | T | F | S |
| 29 | 30 | 31 | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 1 | 2 | 3 |
Add-ins AJAX ASP.NET MVC Browsers C# Caching Compression CORS CSS CV Data Database DependencyResolver Development Entity Framework Error Handling File Upload Forms GDI+ HTML HTML Editor HTTP Interfaces JavaScript JQuery MCE MetadataProvider MSBuild Numbers Objects Patterns Progressive Enhancement Projects Publish Regex Resources Security SEO SMTP Source Control Strings Sub-Collections TDD Tools Twitter User Interface WCF Web Development WHS WMC XLinq XML
On Twitter
11 hours ago
verge
Microsoft teases Windows 8 'Consumer Preview' with Bing betta fish site http://t.co/lcJICazH