A public salt will not make dictionary attacks harder when cracking a single password. As you’ve pointed out, the attacker has access to both the hashed password and the salt, so when running the dictionary attack, she can simply use the known salt when attempting to crack the password. A public salt does two things: … Read more
Update: Simply using a hash function is not strong enough for storing passwords. You should read the answer from Gilles on this thread for a more detailed explanation. For passwords, use a key-strengthening hash algorithm like Bcrypt or Argon2i. For example, in PHP, use the password_hash() function, which uses Bcrypt by default. $hash = password_hash(“rasmuslerdorf”, … Read more
I’ve had nice results with djb2 by Dan Bernstein. unsigned long hash(unsigned char *str) { unsigned long hash = 5381; int c; while (c = *str++) hash = ((hash << 5) + hash) + c; /* hash * 33 + c */ return hash; }
Most of the other answers here are somewhat out-of-date with today’s best practices. As such here is the application of using PBKDF2/Rfc2898DeriveBytes to store and verify passwords. The following code is in a stand-alone class in this post: Another example of how to store a salted password hash. The basics are really easy, so here … Read more
I found the following algorithm provides a very good statistical distribution. Each input bit affects each output bit with about 50% probability. There are no collisions (each input results in a different output). The algorithm is fast except if the CPU doesn’t have a built-in integer multiplication unit. C code, assuming int is 32 bit … Read more
The modular crypt format for bcrypt consists of $2$, $2a$ or $2y$ identifying the hashing algorithm and format a two digit value denoting the cost parameter, followed by $ a 53 characters long base-64-encoded value (they use the alphabet ., /, 0–9, A–Z, a–z that is different to the standard Base 64 Encoding alphabet) consisting … Read more
Hashing a password once is insecure No, multiple hashes are not less secure; they are an essential part of secure password use. Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from … Read more
It’s very simple using System.Security.Cryptography.MD5: using (var md5 = MD5.Create()) { using (var stream = File.OpenRead(filename)) { return md5.ComputeHash(stream); } } (I believe that actually the MD5 implementation used doesn’t need to be disposed, but I’d probably still do so anyway.) How you compare the results afterwards is up to you; you can convert the … Read more
A lot of people are saying that once you get to the size where speed is actually a concern that HashSet<T> will always beat List<T>, but that depends on what you are doing. Let’s say you have a List<T> that will only ever have on average 5 items in it. Over a large number of … Read more
Here’s an explanation in layman’s terms. Let’s assume you want to fill up a library with books and not just stuff them in there, but you want to be able to easily find them again when you need them. So, you decide that if the person that wants to read a book knows the title … Read more