DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Joe Enos
Joe Enos

Posted on

.NET Passwords

If you're rolling your own authentication, rather than using a third party solution, make sure you're doing it right.

Here are some of the basics. You'll want to create a random salt for each password, and hash the user's input using that salt when creating the record in your database. Then retrieve the salt and use it to hash the user's input again when logging in, and you can determine if the password is correct.

The important piece here is to use a sufficiently random salt, which means a cryptographically pseudo-random number generator (.NET's RandomNumberGenerator), and a sufficiently secure algorithm (PBKDF2 with HMACSHA512 and 10,000 iterations for example).

See an example here:

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.