This web site uses cookies. By using the site you accept the cookie policy.This message is for compliance with the UK ICO law.

.NET 3.5+

Salted Password Hashing

There are many ways in which passwords can be stored, with varying levels of security. Salted password hashing uses a non-reversible hashing algorithm with the inclusion of a randomised element to make it more difficult to obtain user passwords.

Hashing Passwords with C#

In the remainder of the article we will create a class that demonstrates the use of salted hashed passwords. The class will include methods that generate random salt values, hash passwords and check if a provided password is correct. The class will not include any functionality for storing credentials or retrieving them, as this will vary from system to system.

Creating the Class

To begin, create a new project and add a class named, "PasswordHasher".

public class PasswordHasher

Generating a Salt

The salt value should be a random series of characters. A simple way to produce a salt is using a GUID. The GenerateSalt method returns a string containing the 32 hexadecimal digits with no braces or hyphens:

public string GenerateSalt()
    return Guid.NewGuid().ToString("N");

Hashing a String

The hashing algorithm should take a string of an arbitrary length and produce a value based upon its entire contents. The .NET framework includes several possible classes for this purpose. One of these uses the Secure Hash Algorithm (SHA) function, which we will use in the sample code. You should carefully consider other functions, including those not supported natively by the .NET framework, according to the level of security that you require as some hash functions have security flaws.

The SHA-512 function is implemented using the SHA512CryptoServiceProvider class, which is found in the System.Security.Cryptography namespace. We will also be using some conversion methods from classes in the System.Text namespace. For simplicity, ensure that the following using directives are presentsha:

using System.Security.Cryptography;
using System.Text;

We can now create a private method that hashes a string, shown in the sample code below. The first line creates the object that will perform hashing. The second line converts the string being hashed to a byte array, as the encryptor cannot work with strings directly. The third line performs the hashing using the ComputeHash method, which returns another byte array. Finally, the results are converted to a string and returned.

private string HashString(string toHash)
    using (SHA512CryptoServiceProvider sha = new SHA512CryptoServiceProvider())
        byte[] dataToHash = Encoding.UTF8.GetBytes(toHash);
        byte[] hashed = sha.ComputeHash(dataToHash);
        return Convert.ToBase64String(hashed);

Hashing a Password with Salt

The next public method is used to generate salted hashes. The password and salt value are combined, in this case by concatenation, and then hashed using the HashString method.

public string HashPassword(string password, string salt)
    string combined = password + salt;
    return HashString(combined);

Checking a Password

Finally we can create the method that checks if an entered password is correct. Three parameters are used to pass the entered password, the salt for the user and the expected hash value from the credentials list. The method hashes the provided password and salt and compares the result with the expected hash value. If the two match, the method returns true to indicate that the login details are correct.

public bool CheckPassword(string password, string salt, string hash)
    return HashPassword(password, salt) == hash;
6 February 2011