Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

How to Hash and Salt Passwords in ASP.NET

  
  

Summary

Hash and Salt PasswordsUse a hashing algorithm, such as SHA256, to store passwords. Make sure to salt the hashes. 

Step 1. Compute the Salt

You can compute the salt value by using the RNGCryptoServiceProvider class, as shown in the following code example.

using System.Security.Cryptography;
...
private static string CreateSalt(int size){
// Generate a cryptographic random number using the cryptographic
// service provider
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number
return Convert.ToBase64String(buff);
}

Note: If you use the ASP.NET SQL Server membership provider, you can configure it to store password hashes with added salt by setting passwordFormat="Hashed" on the provider configuration. 

Step 2. Combine Password and Salt

Simply concatenate the password and the salt.

Step 3. Hash the Password and the Salt

The following code example shows how to use a hashing algorithm, such as SHA256, to hash data.

using System.Security.Cryptography;
...
// Create a new instance of the hash crypto service provider.
HashAlgorithm hashAlg = new SHA256CryptoServiceProvider();
// Convert the data to hash to an array of Bytes.
byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(stringDataToHash);
// Compute the Hash. This returns an array of Bytes.
byte[] bytHash = hashAlg.ComputeHash(bytValue);
// Optionally, represent the hash value as a base64-encoded string,
// For example, if you need to display the value or transmit it over a network.
string base64 = Convert.ToBase64String(bytHash);

Step 4. Store the Hash and the Salt

Store the hash and the salt in the location of your choosing. Make sure to store the salt along with the hash, because the salt is necessary for computing hashes when checking user entered passwords.


Adapted from Microsoft patterns & practices guidance.

Comments

Hi, 
Thank you for this information but i am not able to verify the entered username with the salted password stored in the database. Please help... 
Thank You
Posted @ Monday, June 27, 2011 7:56 AM by Shoeb
Did you include the salt when computing the hash to validate the stored password?
Posted @ Wednesday, July 20, 2011 4:43 AM by Serge Truth
I had to fend off password storage questions from a security conscious client yesterday, and learnt some things in the process. Here’s a brain dump so I can close the tabs and move on. 
 
The as long as you set passwordFormat="Hashed" in the web.config file, the passwords are hashed. By default it’s SHA-1, but you can change it. What is default hash algorithm that asp.net membership uses has lots of information about how they do it. The passwords are hashed using a random salt . 
 
Apparently SHA-1 is broken. Not cracked, just broken, they’ve managed to get hash collisions in 2^69 operations, whatever that means. 
 
I don’t think I know enough about cryptography to understand what this means, but the comments on that blog post are interesting. Is SHA-1 secure for password storage? has a nice tldr summary at the top too.
Posted @ Thursday, October 20, 2011 12:43 AM by Australian switchboard
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics