In cryptography, a salt is random data that is used as an additional input to a one-way function that “hashes” data, a password or passphrase. Salts are closely related to the concept of nonce. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.
This can be visually demonstrated as:
salt string can be passed as the users email if you are lazy but its better to generate your own byte array.
public class EncryptionService
MD5 is considered deprecated
Consider the following username and password:
var email = "firstname.lastname@example.org";
The password value needs to be hashed and then persisted to the database.
- Create the salt by getting the byte array values of the email, the assumption would be that an email address is unique.
You can SHOULD create a random byte array for the salt using
RNGCryptoServiceProvider. You would then need to persist that byte array to the database and use it in your user authentication challenge routine. The use of
var salt = Encoding.ASCII.GetBytes(email);
- Create a byte array of the password and concatenate the two into one byte array
var value = Encoding.UTF8.GetBytes(password);
- Create a MD5 hash from the ‘salted value’
// need MD5 to calculate the hash
- Encode and to string the hash. You can also use
// string representation (similar to UNIX format)
This would then result in a value of