http://forums.asp.net/25.aspxAll about ASP.NET security (authentication, authorization, membership, roles, etc.) and the Login controls. <a href="http://aspadvice.com/SignUp/list.aspx?l=24&c=17" target="_blank">Email List</a>enCommunityServer 2007 SP1 (Build: 20510.895)http://forums.asp.net/thread/2409039.aspxSun, 08 Jun 2008 08:55:10 GMT4c671506-2930-414c-a40b-8bf57ded5924:2409039Freakish_050http://forums.asp.net/thread/2409039.aspxhttp://forums.asp.net/commentrss.aspx?SectionID=25&PostID=2409039<p>Hi bbaxter,</p><p>The following method will create a random salt for you.&nbsp; Assuming you wanted the salt to be one-time per user, this is a very useful method.<br /></p><pre class="coloredcode"><span class="kwd">public static string</span> CreateSalt()<br /> {<br /> RNGCryptoServiceProvider rng = <span class="kwd">new</span> RNGCryptoServiceProvider();<br /> <span class="kwd">byte</span>[] buff = <span class="kwd">new byte</span>[32];<br /> rng.GetBytes(buff);<br /> <span class="kwd">return</span> Convert.ToBase64String(buff);<br /> }</pre><pre class="coloredcode">I also encrypt my passwords using the following method.</pre><pre class="coloredcode"><span class="kwd">public static string</span> Enc(<span class="kwd">string</span> d2e)<br /> {<br /> UnicodeEncoding uEncode = <span class="kwd">new</span> UnicodeEncoding();<br /> <span class="kwd">byte</span>[] bytD2e = uEncode.GetBytes(d2e);<br /> SHA256Managed sha = <span class="kwd">new</span> SHA256Managed();<br /> <span class="kwd">byte</span>[] hash = sha.ComputeHash(bytD2e);<br /> <span class="kwd">return</span> Convert.ToBase64String(hash);<br /> }</pre><p>Notice that I am using SHA256.&nbsp; You can use SHA1 if you want but there are apparrently some vulnerabilities with it.&nbsp; There&#39;s also SHA384, SHA512 and SHA786 IIRC but as you increase the number, you also increase the time and processor load which will result in performance issues if you have high traffic.</p><p>SHA256 is a good comprimise for me since it&#39;s relatively quick and it cannot be decrypted.&nbsp; So even if some lucky person managed to gain access to your database, the data would be no good to them anyway <img src="http://forums.asp.net/emoticons/emotion-2.gif" alt="Big Smile" />&nbsp; Which has just reminded me!&nbsp; Since you cannot decrypt SHA256, you&#39;ll have to encrypt the submitted password and salt retrieved from the database and compare that to the encryped password in the database when authenticating users.</p><p>Hope that helps,</p><p>Jason<br />&nbsp;</p>http://forums.asp.net/thread/2407694.aspxFri, 06 Jun 2008 21:26:41 GMT4c671506-2930-414c-a40b-8bf57ded5924:2407694haoest0http://forums.asp.net/thread/2407694.aspxhttp://forums.asp.net/commentrss.aspx?SectionID=25&PostID=2407694<p>If you are using MD5 or or something similar, simply changing mypass to mypass2 yields a totally different result. Given that, you can concatenate any constant (e.g. a $ sign), or some variable that is fixed for each account (e.g. username) to the password before calling md5 hash function. </p><p>&nbsp;</p>http://forums.asp.net/thread/2407501.aspxFri, 06 Jun 2008 19:47:01 GMT4c671506-2930-414c-a40b-8bf57ded5924:2407501bbaxter0http://forums.asp.net/thread/2407501.aspxhttp://forums.asp.net/commentrss.aspx?SectionID=25&PostID=2407501<p>ok, Here&#39;s my situation: I have a users&#39; password, but I need to hash it and create a salt to insert into the aspnet_membership table. Can I do this manually? If there was a way to do it in SQL that&#39;d be awesome, but thats probably asking too much.<br /></p>