It appears the issue I was discussing about storing passwords is finally getting a little more light. This article was posted on /. today and sums up the problem very clearly: Are you sure SHA-1+salt is enough for passwords? This is exactly what I was talking about in “Another example of how to store a [...]

 

I ran across this post titled “Salted Password Hashing” over on dotnetshoutout.com. I’m amazed at all the little problems here, so before we continue with how to do this, let’s look at what you should not do: First, Hashed passwords, even when using salt, are possible to crack with a dictionary attack. Computers are fast [...]

 

Most people I’ve seen online compute a simple hash of password + salt for persistence and authentication. This is the accepted standard in a straight-forward solution: byte[] Hash(string password) { byte[] pass = System.Text.Encoding.UTF8.GetBytes(password); //Create the salt to use byte[] salt = new byte[32]; new RNGCryptoServiceProvider().GetBytes(salt); //Create the hash of password and salt HashAlgorithm hashAlgo [...]