1

I have a .net application that stores hashed passwords in a sql server database.

The passwords are hashed using a salt that gets stored in the database with the hashed passwords.

As an extra layer of security, I hash the hashed password with another sitewide secret key that is not stored on the database server for security reasons. As the system is load balanced, where should I store the sitewide secret key? Store a copy of it in the config of each of my .net applications (same value on all servers).

Second question is, what is the recommended hashing mechanism for storing passwords?

amateur
  • 43,371
  • 65
  • 192
  • 320
  • 1
    What hash algorithm do you use? It is unlikely that hashing again will significantly improve security; consult [Is double-hashing a password less secure...](http://stackoverflow.com/questions/348109/). – Dour High Arch Dec 16 '12 at 02:09
  • Does it matter to much where you store the site specific salt as long as they are not visible (and can never be) visible on the internet? If a server breaks into your DB and your web server they can probably get at your site specific salt easily. – scottheckel Dec 16 '12 at 02:32

1 Answers1

2

I tend to use bcrypt storing passwords. The .NET implementation of it is BCrypt.NET as it doesn't come in the .NET framework at this point. You do not want to use a general purpose hash function like MD5. Another common algorithm is PBKDF2, but I have not personally used it in .NET.

scottheckel
  • 9,106
  • 1
  • 35
  • 47