What should I encode my passwords to?

Question

I'm starting a new ASP.Net application from scratch. What should I use to encode passwords and what should my column be?

Just a simple varchar(512)? Thanks for any advice.

Answer 1

People, please.

Encryption != Encoding != Hashing

These are 3 different terms that should not be used interchangeably.

Passwords should be hashed and salted, never encrypted, much less encoded. Use SHA as your hashing algorithm and remember to use a salt too. That's a very important countermeasure to avoid rainbow table attacks.

Also, all hash functions will generate an output that has a fixed size (32 characters in case of MD5, 40 in SHA1, etc.) so you don't need all that extra space.

References/Reading:

MSDN: SHA1 Class
Just hashing is far from enough

Answer 2

The FormsAuthentication namespace has a handy method that you can use to hash a password for storing [in the database].

As others have mentioned, be sure to salt your password.

FormsAuthentication.HashPasswordForStoringInConfigFile(saltedPassword, "SHA1")

Answer 3

Well, if you're using SHA1 you're hashes are only going to be 48 characters long, so 512 is overkill.

I use SHA 256 with a salt.

Answer 4

I would use the Membership API that's included with .NET. I believe it hashes passwords (and security answers) using salted SHA1. If you still want to reinvent the wheel, you could still use this as a guide for best practices.

Answer 5

I would take a look at the System.Security.Cryptography namespace and devise a way to encrypt the passwords. Once you do that you can just take a look at the size of the encrypted passwords and create your column accordingly. Make sure you don't lose the encryption key of course. I would also have a different key in DEV than in PROD for added security. There are plenty of tutorials (and code) on how to do this in .NET.

Good luck!