Hashed passwords provide much better security than storing passwords in the database as simple text. They are, however, potentially vulnerable to a dictionary attack. In a dictionary attack, the attacker attempts to guess passwords by using software to iteratively hash all words in a large dictionary and compare the generated hashes to the stored hash values.
You can help prevent dictionary attacks by requiring the end users to define passwords that are not common words and that contain some numbers or other nonalphanumeric characters.
In addition, you can add a random set of bytes at the beginning or end of the password before hashing it. This random set of bytes is called a salt. You then store this salt value in the table along with the password.
There are many ways to generate a salt value. One way is to generate a globally unique ID, or GUID, as follows.
public static String ComputeSalt()
{
System.Guid GuidValue = System.Guid.NewGuid();
return GuidValue.ToString();
}
This code can also be included in your utility component so it can be reused.
By using both the hash and the salt, you can minimize the possibility of an unauthorized user accessing your application.
