Salting and Hashing Passwords using Linq To SQL

Question

I need to salt and hash some passwords so that I can store them safely in a database. Do you have any advice or ideas as to how best to do this using Linq To SQL?

Answer 1

If it is for user account login you don't want just salt+password hashing, you also want to use key stretching as per PBKDF2 in RFC2898 document.

Here is API to do what you need with example usage: https://sourceforge.net/projects/pwdtknet

Also creates crypto random salt at specified length

Answer 2

Since you are using the .NET and C#, use can use the System.Security.Cryptography.SHA512Managed namespace for generating the salt value and password hash

Answer 3

Basically as @Vojislav says.

You might want to look at bcrypt for the hashing - it's reputed to be very good.

Answer 4

LINQ to SQL doesn't have much relevance in this case. You could use any mechanism you want to, because you won't be doing hashing and salting in SQL.

The steps to save a password would go along these lines:

1. Receive the password as cleartext, along with the user's ID.
2. Generate (and remember) the salt.
3. Combine the salt with the password text, e.g. prepend it or append it.
4. Hash the resulting text with your hash function
5. Store the user ID, the hash and the salt in your DB.

The steps to verify a password would go along these lines:

1. Receive the password as cleartext, along with the user's ID.
2. Retrieve the hashed and the salt from the DB for the supplied user ID.
3. Combine the salt with the supplied password text.
4. Hash the resulting text with your hash function.
5. Compare the hash from the function with the hash retrieved from the DB.
6. If they are equal, the supplied password was correct.