mechanism for hashing passwords

2018-06-07 00:25:15

I have a .net application that stores hashed passwords in a sql server database.

The passwords are hashed using a salt that gets stored in the database with the hashed passwords.

As an extra layer of security, I hash the hashed password with another sitewide secret key that is not stored on the database server for security reasons. As the system is load balanced, where should I store the sitewide secret key? Store a copy of it in the config of each of my .net applications (same value on all servers).

Second question is, what is the recommended hashing mechanism for storing passwords?

I tend to use bcrypt storing passwords. The .NET implementation of it is BCrypt.NET as it doesn't come in the .NET framework at this point. You do not want to use a general purpose hash function like MD5. Another common algorithm is PBKDF2, but I have not personally used it in .NET.

链接地址: http://www.djcxy.com/p/21598.html

上一篇: 如何用长嘴鳕来散列长密码（> 72个字符）

下一篇: 哈希密码机制