(As suggested, I’ve replaced my previous salt generation method with something that should be more secure)
To generate a random salt:
public static string GenerateRandomSalt(RNGCryptoServiceProvider rng, int size)
{
var bytes = new Byte[size];
rng.GetBytes(bytes);
return Convert.ToBase64String(bytes);
}
var rng = new RNGCryptoServiceProvider();
var salt1 = GenerateRandomSalt(rng, 16);
var salt2 = GenerateRandomSalt(rng, 16);
// etc.
RNGCryptoServiceProvider
is used to generate “cryptographically strong random values,” making it more suitable for use here than the standard Random
class. However you generate the salt, you can then append it to your password and hash using your algorithm of choice:
var salt = GenerateRandomSalt(rng, 16);
var hashedPassword = DoPasswordHashing(password + salt);
However, it’s worth pointing out that doing user authentication correctly can be a more difficult problem than it seems. Eric Lippert wrote a series of blog articles about this several years ago: http://blogs.msdn.com/b/ericlippert/archive/2005/01/28/you-want-salt-with-that-part-one-security-vs-obscurity.aspx
3
solved Encrypting the password using salt in c# [closed]