Hello,
I'm rolling my own membership provider and I've come to the point of passwords.
Security is very important to me so I want to make sure I do this right.
I want to make sure I'm creating a big strong hash and a long per-user salt.
Below is the existing code from the membership provider:
HMACSHA1 hash = new HMACSHA1(); hash.Key = HexToByte(machineKey.ValidationKey); encodedPassword = Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
My questions are:
How should I create a salt? I can't quite see how the existing memership provide is doing it. (I want to create a new one per user).
How long should my salt be?
Which hashing algorithm should I use on the password? (Please provide an example of how to implement it).
Do I need to worry about encryption at all (I don't mean SSL, I'm referring to the data itself)?
At what point should I think about encrypting the table or fields within the table containing user data?(I'm only storing username, hashed password, salt and email address, not credit card details for example).