How to Securely Hash Passwords in .NET Using PBKDF2?

Use current best practices to securely hash passwords in .NET

When storing passwords in a database, it is critical to protect sensitive information using hashing algorithms. Encryption methods are not suitable for this purpose. The best native password hashing algorithm in .NET is PBKDF2 (Password-Based Key Derivation Function 2).

Step-by-step guide to password hashing using PBKDF2

Step 1: Generate salt value

The salt is a random value used to make the hash of each password unique. Create a salt value using a cryptographic PRNG (pseudo-random number generator):

byte[] salt;
new RNGCryptoServiceProvider().GetBytes(salt = new byte[16]);

Step 2: Create PBKDF2 object and calculate hash value

Instantiate the Rfc2898DeriveBytes class and specify the password, salt, and desired number of iterations (~100,000 recommended):

var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 100000);
byte[] hash = pbkdf2.GetBytes(20);

Step 3: Combine salt and cipher bytes for storage

Combine the salt and password bytes to create a single string for database storage:

byte[] hashBytes = new byte[36];
Array.Copy(salt, 0, hashBytes, 0, 16);
Array.Copy(hash, 0, hashBytes, 16, 20);

Step 4: Convert to Base64 string for storage

Encode the combined bytes into a Base64 string for storage in the database:

string savedPasswordHash = Convert.ToBase64String(hashBytes);

Step 5: Verify the password entered by the user

To verify that the password entered by the user matches the stored hash:

• Get the stored password hash from the database.
• Extract the salt and hash bytes from the stored hash value.
• Calculate a new hash using the password entered by the user and the extracted salt.
• Compare the calculated hash with the stored hash. If they match, the password is valid.

string savedPasswordHash = DBContext.GetUser(u => u.UserName == user).Password;

byte[] hashBytes = Convert.FromBase64String(savedPasswordHash);
byte[] salt = new byte[16];
Array.Copy(hashBytes, 0, salt, 0, 16);

var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 100000);
byte[] hash = pbkdf2.GetBytes(20);

for (int i=0; i < 20; i++)
    if (hashBytes[i+16] != hash[i])
        throw new UnauthorizedAccessException();

Note: The number of iterations can be adjusted based on the performance requirements of the application. A generally recommended minimum value is 10,000.

The above is the detailed content of How to Securely Hash Passwords in .NET Using PBKDF2?. For more information, please follow other related articles on the PHP Chinese website!