Reputation: 3281
What is Salt Key in Asp.net Membership.?
What is Salt key in Asp.net Membership And why this key is used.
Upvotes: 0
Views: 1183
Answers (4)
Reputation: 25214
Salting is the process of hashing a password with an additional value (the salt key in your case) to make it harder to crack. There are several reasons why this is so. Two of which are:
- A given password hashed without a random key will hash to a given value,
x. Many lookup (rainbow) tables exist which list common passwords and their unsalted hashes. If your database is compromised, weak password hashes can be cracked fairly easily by simply looking them up online. - If you don't hash your passwords and your database is stolen, there will be clumps of users with the same weak password who will have the same hash. This gives hackers a place to start cracking, as once they crack the common hash they gain access to several accounts.
Keep in mind one final thing: Salting is a security measure but it does not make a database secure. Most hash functions are intended to hash data quickly. This means that brute forcing these functions is relatively easy, because the functions are optimised for speed. One of the single best ways to secure your passwords is to hash them with functions which take longer to process. This makes brute forcing them much more difficult. A password which takes 100ms to hash instead of 5ms will have an unnoticable performance impact on your end user, but will take 20 times longer for a hacker to brute force. This technique, combined with hashing, helps keep your users' data safe.
This is one of my favourite articles on the subject: http://crackstation.net/hashing-security.htm
Upvotes: 2
Reputation: 18797
Salt is used to randomize the hashes. So attacks like lookup tables, reverse lookup tables, and rainbow tables become ineffective.
To get a better understanding, I recommend you read the article at http://crackstation.net/hashing-security.htm
Upvotes: 0
Reputation: 2439
A salt is just a random number, you can use RNGCryptoServiceProvider class in the framework library to produce good random number to use as salt
Upvotes: 0
Reputation: 7552
Its to prevent dictionary attacks, see http://en.wikipedia.org/wiki/Salt_(cryptography)
also for more detail see
http://blog.nerdbank.net/2009/06/reverse-engineering-aspnet-membership.html
Upvotes: 1
Related Questions
- System.Web.Helpers.Crypto - Where's the salt?
- ASP.NET Identity - where is the salt stored?
- How to salt and compare password in ASP.NET MVC
- ASP.NET MVC 4 Hash algorithm
- How can I get the salt of the hash algorithm that ASP.NET membership uses?
- ASP.NET membership salt?
- What encryption does MVC4 use?
- ASP.net authentication
- Encrypting passwords in ASP.NET MVC 3
- ASP.NET password hashing and password salt