Home/ Questions/Q 109007
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T02:00:06+00:00

Ok, I have an application written in C#. We have data in an SQL

  • 0

Ok, I have an application written in C#. We have data in an SQL Server. Among that data we have user accounts, which will give access to the application.

I’ve read around, and I know that you should salt and hash and possibly hash a bunch of times, etc. But, where do I do what? What do I send to and from the SQL Server? Exactly what do I store in the database? Do I hash it in SQL? (possibly a hash function there, like in mysql?) Do I hash and do the fancy stuff in my code? Do I send the hash to the server and compare, or do I get the hash from the server and compare in my application? What about the salt? Where do I make it? Where do I store it? How do I get it?

In other words, could someone give me a nice and clear walkthrough of a login scenario (and possibly a user add/reset password scenario). What goes where, what should be used where, etc.

Hope someone can clear these things up for me =)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. I agree with Joel Coehoorn completely, the best choice is to trust someone else’s tried and true implementation. If, however, you’re determined to roll your own security implementation, then my advice is the following:

    1. Store the hash and salt in the database.
    2. Generate the hash and the salt in your own code. That way you’re not tying yourself to a specific database.
    3. Never send the password over the wire as plaintext. I would recommend fetching the hash and the salt from the database and comparing it to the ones you calculated from the username and password supplied by the party that wishes to be authenticated.
    • 0