Reputation: 44605
mechanism for hashing passwords
I have a .net application that stores hashed passwords in a sql server database.
The passwords are hashed using a salt that gets stored in the database with the hashed passwords.
As an extra layer of security, I hash the hashed password with another sitewide secret key that is not stored on the database server for security reasons. As the system is load balanced, where should I store the sitewide secret key? Store a copy of it in the config of each of my .net applications (same value on all servers).
Second question is, what is the recommended hashing mechanism for storing passwords?
Upvotes: 1
Views: 126
Answers (1)
Reputation: 9244
I tend to use bcrypt storing passwords. The .NET implementation of it is BCrypt.NET as it doesn't come in the .NET framework at this point. You do not want to use a general purpose hash function like MD5. Another common algorithm is PBKDF2, but I have not personally used it in .NET.
Upvotes: 2
Related Questions
- Asp.net MVC - How to hash password
- How to hash users passwords?
- Effective Password Encryption
- Hashing Passwords With ASP.NET MVC 3
- ASP.Net Identity Manual Password Hashing
- How to hash a password and save into a database table?
- ASP Password hashing algorithm
- ASP.NET password hashing and password salt
- hash password in SQL Server (asp.net)
- Hashing User Passwords