Salt a password - are there better options than using a timestamp?

Question

Salt a password - are there better options than using a timestamp?

I am currently creating a couple of ASP.NET MVC 2 sites, and I wonder what my options are for salting a password. With my PHP work, I usually got the timestamp when a user logged in, and then added it to the end of the password string before using SHA1 to hash everything. My instinct is that this approach may not be enough.

In any case, I'm pretty new to user administration with ASP.NET, so I think that from the very beginning I would like to start with best practices. I know that ASP.NET web forms have built-in user administration, but I'm not sure about MVC.

+3

salt asp.net-mvc-2

Major productions Aug 18 '10 at 20:33

source share

1 answer

Sqlryan · Accepted Answer · 2010-08-18T20:35:04+0000

The only point of SALT is to prevent rainbow attacks when multiple users have the same hash for their password, so reversing one password successfully means that you also know the password for everyone else with the same hash. Even a single-valued salt will prevent this, since two users with the same password will have different hashes if they have different salts.

As long as salt is something that will not change, and it is different for each user, any value will work well. The timestamp of their registration, provided that you do not update this field (which will invalidate the password hash and prevent their registration) is an excellent choice.

Salt a password - are there better options than using a timestamp?

More articles: