DEV Community

loading...

.NET Passwords

Joe Enos
Software developer/architect, mostly working with .NET and SQL Server.
・1 min read

If you're rolling your own authentication, rather than using a third party solution, make sure you're doing it right.

Here are some of the basics. You'll want to create a random salt for each password, and hash the user's input using that salt when creating the record in your database. Then retrieve the salt and use it to hash the user's input again when logging in, and you can determine if the password is correct.

The important piece here is to use a sufficiently random salt, which means a cryptographically pseudo-random number generator (.NET's RandomNumberGenerator), and a sufficiently secure algorithm (PBKDF2 with HMACSHA512 and 10,000 iterations for example).

See an example here:

Discussion (0)