Salting passwords

This is an interesting bit I read upon. I was deliberating on how to best ensure the safety of my users by exploring how to avoid saving raw password in the database. I realised that this is with the assumption that in the event of an hacker getting access to the db or any password repository, he should not be able to abuse it. We have often read about hashing the password, but with the invent of rainbow tables, salting has become more of necessity. By salting and the hashing, we create a hashed value which is highly unlikley to be present in the reainbow table.

The steps I’d follow is:

1. Create an arbitary string value for each user. This will be one salt per user. This should be stored seperately.

2. Append or prepend the slat to the password.

3. Create a hash using one of the built-in hash algorithms provided by .net under System.Security.Cryptography namespace like SHA1, MD5. For more information, see here:

4. Store this value i.e. hash([salt][password])

Now when it comes to authenticating users, you can take the password passed in by the user, get his salt and the hash it. Compared the result with the one stored in the system for authentication.

I found this article also interesting:

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s