Safest place to store a password's hash

Question

I know I need to store it as a hash and then compare the values together, but where should I be sending this hash to compare with later?

Answer 1

If you can integrate an existing AuthN/AuthZ mechanism, use it instead of rolling your own.

OAuth is such a mechanism.

If you must roll your own, then:

• Use a database to store your data
• Secure that database as best you can (get a security company/expert or DBA who knows what they're doing to do this)
• Accept the password as a SecureString
• Use a Salt
• Hash the password in-memory on the server, and compare it to a hash that you've previously stored in your database
• Use a one-way hash function that doesn't have known vulnerabilities, such as SHA256
• Get your hash function implementation from System.Cryptography

Answer 2

It doesn't really matter where it's stored. The answer is: whatever makes sense for your application.

This could be whatever other storage mechanisms you've got in place. Consider putting it where the other user-related information is now:

• a database
• the registry (you didn't mention whether this was WinForms or other)
• local storage (Win Phone)
• call a web service

Suggest keeping it where users can't easily get their hands on it. Yes, it's a hash, but there'll be problems when people start messing around with that value. Try keeping it out of sight as best you can.

Answer 3

This could help?

http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

Answer 4

See the ProtectedData class. It uses DPAPI and actually fit for providing mid-level of security. In compbination with IsolatedStorage, it is good enough for most purposes.