Secure Password Hashing

Question

I need to store a hash of a single password in a .Net WinForms application.

What\'s the most secure way to do this?

In particular:

• Salt, HMAC,

Answer 1

Hash and Salt. If you only hash you could be attacked by a rainbow attack (reverse has lookup) and a salt makes this much more difficult (random salt would be best.) For your encoding you will probably want to either Base64 or Hex encode your resulting byte array. If you just try to store the byte array as Unicode you could run the risk of some data being lost because not all patterns are valid characters. This also allows for an easier way to compare hashes (just compare the base64 or hex string when you want to validate instead of comparing the byte array)

An increased number of rounds doesn't do much beyond slowing down would be attackers. But is also makes is much more difficult to reuse the hashes in the future if you lose or need to recreate your hash algorithm. You might check out a standard password hash such as crypt on unix systems. This allows for you to change out the hash algorithm and can even support versioning.

But again, a simple hash + salt is good enough for most applications.

Answer 2

I think you should stick with open standards. Among the current hash schemes, the "{ssha}" used by OpenLDAP is very secure and widely used. You can find the description here,

http://www.openldap.org/faq/data/cache/347.html

Most LDAP libraries implement this scheme.

Answer 3

Here is an API which will do everything you need/want :)

https://sourceforge.net/projects/pwdtknet