Encrypting passwords in ASP.NET MVC 3

Question

I'm trying to create a custom membership system in ASP.NET MVC3.

I know there are many free and open source providers, but I'm doing this to learn more. My question is about encrypting passwords.

Which algorithm do you suggest I use: SHA1, SHA256, MD5, BCrypt, or something else? Also, which way do you suggest to create a password salt?

score 1 · Answer 1 · answered Feb 17 '12 at 18:07

Most of those algorithms are hashing algorithms, they don't encrypt they create a hash (checksum) and usually this is the best way to store passwords, unless you have a really good reason to want a way to restore passwords (and I don't think there are many reasons for that).

I tipically use sha256. About the salt, a random 6 or more characters string is enough. But the salt can be anything, it depends on your imagination how to generate it.

score 1 · Accepted Answer · answered Feb 17 '12 at 18:07

1

BCrypt if you need really strong hash. As far as generating the salt is concerned, you could use the RNGCryptoServiceProvider class. Here's an article that you may checkout. Just replace the SHA1 algorithm used there with BCrypt.

answered Feb 17 '12 at 18:07

Darin Dimitrov

1,023,142
271
3,287
2,928

Thanks. Is BCrypt internally supported by .net and RNGCryptoServiceProvider? – amiry jd Feb 17 '12 at 18:20
1

@king.net, no, it isn't. There are .NET implementations though: http://bcrypt.codeplex.com/ – Darin Dimitrov Feb 17 '12 at 18:23

Encrypting passwords in ASP.NET MVC 3

2 Answers2

Linked