Secure Salted Password Hashing - How to do it Properly

If you're a web developer, you've probably had to make a user account system. The most important aspect of a user account system is how user passwords are protected. User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. There are a lot of conflicting ideas and misconceptions on how to do password hashing properly, probably due to the abundance of misinformation on the web. IMPORTANT WARNING: If you are thinking of writing your own password hashing code, please don't!. If for some reason you missed that big red warning note, please go read it now. You may use the following links to jump to the different sections of this page. What is password hashing? hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366 hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542

http - The definitive guide to forms based website authentication nullsecurity .net - How to get compatibility between C# and SQL2k8 AES Encryption SQL Server EncryptByKey cryptographic message description - SQL Server Security Since the introduction of SQL Server 2008 extensible key management (EKM), new opportunities may arise to handle data encryption on the client while still making the plaintext data accessible to authorized users in SQL Server. One issue between SQL Server and third party clients has been already discussed in the SQL Server Security forum in the past: describing the cryptographic message elements used by the resulting ciphertext generated by EncryptByKey builtin. While we are in the process of finalizing our documentation regarding this subject matter, I would like to take this opportunity to bring you an early draft view of the information and to get your feedback.. Below I will explain each one of the parts of the message along with an example. CipherTextMessage := KeyGUID + EncryptionHeader + EncryptedMessage KeyGUID := {16 bytes} Key_guid. EncryptionHeader := Headerversion + ReservedBytes Headerversion := {1 byte} SQL Server encryption message version. Detailed analysis of each field:

Walden's Blog: Computing MD5 Hash of varbinary(max) in SQL Server CLR SQL Server provides the HASHBYTES function which computes the MD5 hash value of the bytes passed to it with one problem... it only accepts the older (pre-2005) max length of 8000 bytes in a varbinary. That's useful, I suppose, if you're trying to get the MD5 hash of a password, or a name, but completely useless in a case like I had where we needed to compute the MD5 hash of a blob column -- and a blob colum where the max datalength is dozens if not hundreds of megabytes. I needed something different! Our first pass was to write a command line application that selected the filedata column (the blob) from the table and then just computed the MD5 from w/in c#. That made some sense since the point of this was to check an export we were doing of the file data from blobs to files in the file system but it just seemed wrong somehow. If you haven't played with them, SQL CLR functions allow you to code a static method in your .Net language of choice (C#!) OK, now there's a new problem.

VB.NET AES Encryption I'm very sorry for machine translation in English. .NET Framework provides class encryption standard because it is easy, it is possible to perform encryption and decryption easier. The sample code performs encryption and decryption using a fixed encryption key. Imports System.IO Imports System.Text Imports System.Security.Cryptography ' 128bit(16byte)IV and Key Private Const AesIV As String = "! The sample has been fixed string Key and IV, with respect to IV will automatically generate program, I may be added to the beginning of the encrypted string. Encrypted data is a byte array, has been converted to a string of Base64 format so cumbersome as it is. Visual Studio 2010 .NET Framework 4

bouncycastle - Encrypt/Decrypt using Bouncy Castle in C#