Home/ Questions/Q 6171007
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T23:08:18+00:00

A string salt = Crypto.GenerateSalt(); string saltAndPwd = String.Concat(originalPassword, salt); string hashedPwd = Crypto.HashPassword(saltAndPwd);

  • 0

A

string salt = Crypto.GenerateSalt();
string saltAndPwd = String.Concat(originalPassword, salt);
string hashedPwd = Crypto.HashPassword(saltAndPwd);

B

string hashedPwd = Crypto.HashPassword(originalPassword);

May i know Method A and Method B, which is more secure ? or which is the correct approach ? with reflector, i found this is the hash password method in the core : 

public static string HashPassword(string password)
{
if (password == null)
{
    throw new ArgumentNullException("password");
    }
    return HashWithSalt(password, GenerateSaltInternal(0x10));
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As the main purpose of using a salt is to defeat rainbow tables, adding additional salt to what HashPassword already does doesn’t seem like it will gain you much benefit, and only incur additional overhead (as you have to store the salt you generate yourself. HashPassword builds it into the returned value). For reference, this is what HashPassword does:

    The password hash is generated with the RFC 2898 algorithm using a 128-bit salt, a 256-bit subkey, and 1000 iterations. The format of the generated hash bytestream is {0x00, salt, subkey}, which is base-64 encoded before it is returned.

    So, in short, what’s in the framework already is good enough for any reasonable definition of good enough.

    • 0