Use a hashing algorithm, such as SHA256, to store passwords. Make sure to salt the hashes.
Step 1. Compute the Salt
You can compute the salt value by using the RNGCryptoServiceProvider class, as shown in the following code example.
using System.Security.Cryptography;
...
private static string CreateSalt(int size){
// Generate a cryptographic random number using the cryptographic
// service provider
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number
return Convert.ToBase64String(buff);
}
Note: If you use the ASP.NET SQL Server membership provider, you can configure it to store password hashes with added salt by setting passwordFormat="Hashed" on the provider configuration.
Step 2. Combine Password and Salt
Simply concatenate the password and the salt.
Step 3. Hash the Password and the Salt
The following code example shows how to use a hashing algorithm, such as SHA256, to hash data.
using System.Security.Cryptography;
...
// Create a new instance of the hash crypto service provider.
HashAlgorithm hashAlg = new SHA256CryptoServiceProvider();
// Convert the data to hash to an array of Bytes.
byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(stringDataToHash);
// Compute the Hash. This returns an array of Bytes.
byte[] bytHash = hashAlg.ComputeHash(bytValue);
// Optionally, represent the hash value as a base64-encoded string,
// For example, if you need to display the value or transmit it over a network.
string base64 = Convert.ToBase64String(bytHash);
Step 4. Store the Hash and the Salt
Store the hash and the salt in the location of your choosing. Make sure to store the salt along with the hash, because the salt is necessary for computing hashes when checking user entered passwords.
PS:
----- Creating/Storing a new password
1. Create a random number, called SALT
2. Hash the SALT, convert to base 64. This might give for example: 23423AEF==
3. Store the hashed SALT in the incident report column 'SaltHash'
4. Concatonate the user's password and the hashed salt, e.g. mypassword23423AEF==
5. Hash the concatonation, convert to base 64, might give 123456===
6. Store this value as the PasswordHash
------- Verifying the password is correct
1. User enters a value, say 'mypassword'
2. Read the Hashed SALT value from the database
3. Concatonate the the hashed Salt and entered value
4. Hash the concatonation
5. This value should be exactly the same as the value stored in the database for PasswordHash