It appears the issue I was discussing about storing passwords is finally getting a little more light. This article was posted on /. today and sums up the problem very clearly:

Are you sure SHA-1+salt is enough for passwords?

This is exactly what I was talking about in “Another example of how to store a salted password hash“. You cannot just concatenate some Guid with their password and run a simple hash algorithm over it and expect it to be secure. I’m constantly amazed at the amount of both good and bad information available online about storing passwords. If your going down this road you need to ask yourself a couple of questions. First, is it possible for you to use an Open ID or other remote login that prevent your site from being another point of attack on the internet. If you cannot, then invest the time and energy to see that anything you store can be freely given to a hacker and still be relatively safe from abuse.

Again, in it’s most simple form the following code produces a secure-enough password hash:

byte[] salt, hash;
new RNGCryptoServiceProvider().GetBytes(salt = new byte[16]);
hash = new Rfc2898DeriveBytes(password, salt, 10000).GetBytes(20);
Comments