I have a ASP.NET (MVC 3) web site where user will be able to login to perform certain actions. I need to store their password in backend SQL Server 2008 database. I will be using form authentication ( not windows authentication). I am just wondering what is the best way of storing the password in database. Reading some links like this, I am inclining towards using Hash with Salt but I am unclear on how to store the salt value? Should salt value be encrypted? Any one have other ideas, best practices, potential problem or key considerations before concluding with this approach?
Share
Typically the salt is stored as part of the hash, sometimes as the first two bytes. It can be stored as a separate field if necessary, especially when the salt is longer. The salt does not need to be encrypted. You just store the salt+hash in a reasonably-secure (admin access only) location.
Don’t ever store the actual password. You only need the salt and hash. When the user gives a password, you encrypt it using the stored salt for the user they claim to be, and if the result matches the stored hash, the password is correct.
A good article on the subject: http://www.obviex.com/samples/hash.aspx