How to generate Salt for this Hash function?

Question

I am using the following Hash function from the SO topic Hash and salt passwords in C#. How do I generate the salt value in byte array format?

static byte[] GenerateSaltedHash(byte[] plainText, byte[] salt)
{
  HashAlgorithm algorithm = new SHA256Managed();

  byte[] plainTextWithSaltBytes = 
    new byte[plainText.Length + salt.Length];

  for (int i = 0; i < plainText.Length; i++)
  {
    plainTextWithSaltBytes[i] = plainText[i];
  }
  for (int i = 0; i < salt.Length; i++)
  {
    plainTextWithSaltBytes[plainText.Length + i] = salt[i];
  }

  return algorithm.ComputeHash(plainTextWithSaltBytes);            
}

That topic doesn't present any code in C# to do the hashing so is not of any use to me. — user2471435, Aug 07 '14 at 15:50

score 0 · Accepted Answer · answered Aug 07 '14 at 16:08

Fast hash algorithms like MD5, SHA-1 or even SHA-256 are not good choices to hash passwords, because they are much too fast and can be brute-forced too easily. One can calculate about 1 Giga SHA-256 values per second with common hardware.

Instead you can use a slow key-derivation function like BCrypt or PBKDF2. CSharp has native support for PBKDF2, it can be implemented with the Rfc2898DeriveBytes class, an example you can find here.

Also easy to use is this BCrypt library. Often people are not sure if it is safe to use such libraries, but there is no reason against using it. As long as the library returns the correct value and generates the salt correctly, it should be fine, because the security comes from the algorithm and not from the implementation.

How to generate Salt for this Hash function?

1 Answers1