Random string vs Guid

Question

I need a random string of 32 characters to be used as salt for hashing some value. This random string is generated per user.

What is the difference between generating a guid per user and using the RNGCryptoServiceProvider?

Answer 1

After reading this, I understood the difference http://blogs.msdn.com/b/oldnewthing/archive/2012/05/23/10309199.aspx

GUIDs are designed to be unique, not random

The GUID generation algorithm was designed for uniqueness. It was not designed for randomness or for unpredictability. Indeed, if you look at an earlier discussion, you can see that so-called Algorithm 1 is non-random and totally predictable. If you use an Algorithm 1 GUID generator to assign GUIDs to candidates, you'll find that the GUIDs are assigned in numerically ascending order (because the timestamp increases). The customer's proposed algorithm would most likely end up choosing for jury duty the first N people entered into the system after a 32-bit timer rollover. Definitely not random.

Similarly, the person who wanted to use a GUID for password generation would find that the passwords are totally predictable if you know what time the GUID was generated and which computer generated the GUID (which you can get by looking at the final six bytes from some other password-GUID). Totally-predictable passwords are probably not a good idea.

Answer 2

It's the difference between generating a unique key and generating 32 random characters. That's about it. Do what you intend to do.

If you need some way of identifying that user uniquely, even if databases are merged, use a GUID. If you need a salt for hashing a password, then use a random byte[]. Neither of them works well in the other context.