Home > Uncategorized > Quick Sample of Password Hashing in C#

Quick Sample of Password Hashing in C#

Since it seems like passwords are getting leaked way too often these days, I thought I’d throw a super quick sample out there for anyone with a need to store user passwords in their system.  Some important rules:

1. Don’t use reversible encryption, like 3DES or AES.
2. Always use a SALT for each set of credentials, otherwise you’re open to dictionary attacks should your hashes be compromised.  You’ll want to store this alongside your hash in whatever password store you’re using.
3. Don’t invent your own algorithms – use a proven one written by experts that write them professionally, like PBKDF2.

Some recommended reading on why you should follow these rules: http://crackstation.net/hashing-security.htm

And on to the code sample.  Six lines of C# that work on Windows and Linux / Mono will get you a solid method for generating secure hashes.  Enjoy.  I hope this helps people out and gets more developers to use effective password security measures.

var rng = new System.Security.Cryptography.RNGCryptoServiceProvider();
byte[] salt = new byte[8];
rng.GetBytes (salt); // Create an 8 byte salt
var iterations = 1000; // Choose a value that will perform well given your hardware.
var pbkdf2 = new System.Security.Cryptography.Rfc2898DeriveBytes(pwd, salt, iterations);
var hash = pbkdf2.GetBytes (16); // Get 16 bytes for the hash

Categories: Uncategorized
  1. roee
    May 30, 2013 at 8:14 am

    great method, but since this hash algorithm returns a different result for the same password, i wonder how can i use it for validating the password? which part of this code can be static?

  2. Caglar
    March 13, 2014 at 1:33 pm

    Maybe storing salt and password hash on different fields can give better performance, what do you think about it ?

    • loosexaml
      March 13, 2014 at 7:11 pm

      I think it’s a micro-optimization and I can’t really speak to whether any given database can return two shorter fields faster than one longer one. Keeping them in one field will encourage you to do the comparison on you application server and not in the database, whereas if you store the salt in a separate field, one might be tempted to retrieve the salt, calculate the hash from the password attempt, and then do another query to see if the hash matches with the other field. Such an approach will definitely perform poorly since you have two I/O calls instead of one.

  3. Kevin
    June 17, 2015 at 3:03 am

    I am gettign different hash value for C# and Java.I need to achieve same key

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: