> Hi,
> I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN
> nugget on storing passwords [1]. The thing is, it left me hanging at
> the end. Should I be using this new class or should I be using SHA256
> to hash a concatenation of a user's password with a salt generated by
> means of an RNGCryptoServiceProvider. Also, if I choose the second
> method, is there tangible benefit to creating a random length salt, as
> observed here [2]? If anyone has the answers to these questions and
> wouldn't mind sharing them, I'd really appreciate it.
> Many thanks,
> Jono
> [1] http://www.microsoft.com/uk/msdn/events/nuggets.aspx [2]
> http://www.obviex.com/samples/hash.aspx
>

Dominick Baier wrote:
> Hi,
>
> well - i am a little biased :))
>
> But you should use the Rfc2898 class which gives you the additional benefit
> of iterations. 16 bytes lengths are enough.
>
>
> dominick
> www.leastprivilege.com
>
> > Hi,
> > I just discovered the Rfc2898DeriveBytes class, thanks to the MSDN
> > nugget on storing passwords [1]. The thing is, it left me hanging at
> > the end. Should I be using this new class or should I be using SHA256
> > to hash a concatenation of a user's password with a salt generated by
> > means of an RNGCryptoServiceProvider. Also, if I choose the second
> > method, is there tangible benefit to creating a random length salt, as
> > observed here [2]? If anyone has the answers to these questions and
> > wouldn't mind sharing them, I'd really appreciate it.
> > Many thanks,
> > Jono
> > [1] http://www.microsoft.com/uk/msdn/events/nuggets.aspx [2]
> > http://www.obviex.com/samples/hash.aspx
> >