Salt in a hash with password

Question

1.00/5 (2 votes)

See more:

C#

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
                        byte[] saltByte = new byte[8];
                       
                        rng.GetBytes(saltByte);

                        string salt = Convert.ToBase64String(saltByte);

                        SHA512Managed hashing = new SHA512Managed();

                        string hash = textboxpassword.text + salt;

                        byte[] bytes = Encoding.Unicode.GetBytes(hash);

                        byte[] hash = hashing.ComputeHash(bytes);

                        hashes = Convert.ToBase64String(hash1);

Here is my sample data, is my salt in the hash?

Password - P3w1VyHK0PgLmWdCuG4pzCOuTK2/xMrK2UC2S7ZBJy45NC34r9uf3qRODtw9m287tMQfo4QAB5TuFwvc9E/4cg==

Salt -
drYJ2AJJNBc=

Posted 16-Jul-14 23:03pm

polkj

Updated 16-Jul-14 23:10pm

CPallini

v3

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CPallini · Answer 1 · 2014-07-16T23:11:00

Solution 1

Of course it is: you have explicitely put it into the input data.

Posted 16-Jul-14 23:11pm

CPallini

Comments

polkj 17-Jul-14 5:30am

Really, but the salt value is not inside

OriginalGriff · Answer 2 · 2014-07-16T23:17:00

No. It does however make your encrypted data pretty strongly encrypted - since you use a random salt value and don't appear to save it - which is going to make it pretty much impossible for you to decode it unless you store the whole has somewhere - which kinda defeats the point, really.

The idea of using a salt is not to increase the strength of the encryption, but to make the same text encrypted for different users different: so if 50 of your users have the same password you can't tell what it is by using the same one - the salt means that the encrypted value is different.

There are two suggestions I would make here: combine the password with some unique information (such as the user number or even userID) and use that as the value to encrypt. The uniqueness of the user data ensures that identical values don't generate the same output.
Second, don't encrypt passwords. Ever. Hash them instead: Password Storage: How to do it.[^]