PBKDF2 for Password Hashing
suggest changePBKDF2 (“Password-Based Key Derivation Function 2”) is one of the recommended hash-functions for password-hashing. It is part of rfc-2898.
.NET’s Rfc2898DeriveBytes
-Class is based upon HMACSHA1.
using System.Security.Cryptography;
...
public const int SALT_SIZE = 24; // size in bytes
public const int HASH_SIZE = 24; // size in bytes
public const int ITERATIONS = 100000; // number of pbkdf2 iterations
public static byte[] CreateHash(string input)
{
// Generate a salt
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] salt = new byte[SALT_SIZE];
provider.GetBytes(salt);
// Generate the hash
Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(input, salt, ITERATIONS);
return pbkdf2.GetBytes(HASH_SIZE);
}
PBKDF2 requires a salt and the number of iterations.
Iterations:
A high number of iterations will slow the algorithm down, which makes password cracking a lot harder. A high number of iterations is therefor recommended. PBKDF2 is order of magnitudes slower than MD5 for example.
Salt:
A salt will prevent the lookup of hash values in rainbow tables. It has to be stored alongside the password hash. One salt per password (not one global salt) is recommended.
Found a mistake? Have a question or improvement idea?
Let me know.
Table Of Contents