-2

What method is best suitable theses days for saving salted/hashed passwords in a database? I am thinking about BCrypt or SHA51 or PBKDF2, which one is best suited?

And someone please tell me how to implement them in Mysql database using Asp.net in C#.

Deep
  • 81
  • 2
  • 11
  • 1
    Your first part is suitable for one question, although this may be more of a preference depending on the nature of your project. The second part is entirely too broad to address in one post. – Kevin Raffay Apr 19 '17 at 16:27
  • Just using a hash function such as SHA512 is not sufficient and just adding a salt does little to improve the security. Instead use a function with a random salt and a computational time of about 100ms duration, save the salt and iteration count with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt` or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force from a frequent password list. – zaph Apr 30 '17 at 14:46
  • [NIST](https://www.nist.gov) currently recommends `PBKDF2`. See [Recommendation for Password-Based Key Derivation](http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) – zaph Apr 30 '17 at 14:46

1 Answers1

2

How to save passwords in a database?

If you have to ask, you definitely don't want to implement this yourself.

How to implement [this] using ASP.NET

You're lucky, they already did that for you. It's called ASP.NET Identity and is usable with about any ORM and RDBMS you can think of.

Again, you do not want to deal with the saving of passwords yourself.

CodeCaster
  • 147,647
  • 23
  • 218
  • 272