This is an interesting bit I read upon. I was deliberating on how to best ensure the safety of my users by exploring how to avoid saving raw password in the database. I realised that this is with the assumption that in the event of an hacker getting access to the db or any password repository, he should not be able to abuse it. We have often read about hashing the password, but with the invent of rainbow tables, salting has become more of necessity. By salting and the hashing, we create a hashed value which is highly unlikley to be present in the reainbow table.
The steps I’d follow is:
1. Create an arbitary string value for each user. This will be one salt per user. This should be stored seperately.
2. Append or prepend the slat to the password.
3. Create a hash using one of the built-in hash algorithms provided by .net under System.Security.Cryptography namespace like SHA1, MD5. For more information, see here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx
4. Store this value i.e. hash([salt][password])
Now when it comes to authenticating users, you can take the password passed in by the user, get his salt and the hash it. Compared the result with the one stored in the system for authentication.
I found this article also interesting: http://dustwell.com/how-to-handle-passwords.html