I am developing a website which requires users to register to it in order to use it's functions and I was wondering if SHA-256 + salt (random salt provided by RNGCryptoServiceProvider in C#) is secure and good enough to use in 2017?
-
How is this a duplicate? The first post is from 2011 and the second one is from 2015. Security information changes. – Itay080 Jun 29 '17 at 08:43
-
20It wasn't good in 2011, it hasn't magically become good since then. – Gilles 'SO- stop being evil' Jun 29 '17 at 09:07
-
Use PBKDF2, scrypt, or bcrypt. Anything else (including salted single-iteration SHA256) is unacceptable. End of story. – marcelm Jun 29 '17 at 11:22
-
This is wrong. Argon2 is presumably the best answer now, but not the conservative one. – Bruno Rohée Jul 19 '17 at 09:09
2 Answers
For password storage, salted SHA256 hashes are not recommended. This is because the general purpose SHA256 is designed to be fast. Fast is exactly what you do not want for a password hashing algorithm, because it makes brute force and dictionary attacks far more efficient.
Password storage hashes are designed to require a certain workload and in some instances, a minimum memory requirement. Good password storage scheme are designed to be hard to serialize and/or optimize.
The recommended password storage scheme in 2017 is BCrypt hash, with PBKDF2 as alternative, but slightly less regarded, option.
For a more complete answer, please read the sec.se 'standard answer' on password hashing by Thomas Pornin.
- 7,512
- 4
- 32
- 53
-
While I agree with the answer in general, that there is no real way to protect bad passwords in your DB against a dictionary attack. – Eiver Jun 29 '17 at 11:17
-
4@Eiver You can't protect against the absolute worst passwords; but the difference between 10k tries/second/box and 10b tries/sec/box is enough to protect the average user who has a marginally strong password against non-targetted attacks. – Dan Is Fiddling By Firelight Jun 29 '17 at 12:27
-
Bitcoin is based on SHA-256. If a Bitcoin secret is so easy to be brute-forced because of the speed of SHA-256, it wouldn't have been chosen. Now, is a password more important than a Bitcoin secret to call for a slower algorithm to delay the brute-force? I don't think so. – RomanKousta Mar 03 '21 at 23:52
It could be - if it meets your risk assessment for the potential threats you feel it faces.
But I would recommend you look at using a Password Based Derivation Function. These are hashed based style functions ideal for password storage.
Look into PBKF#2 for your C# application. There is also the widely used Bcrypt (although I use the former with C# as it's native)
This maybe of help: https://lockmedown.com/hash-right-implementing-pbkdf2-net/
But I recommend you check the MSDN documentation for up to date information.
- 3,272
- 12
- 22