im using HMACSHA256 to generate the hash of password and store it. the objective here is to just authenticate users, i.e - save their hashed passwords, and validate users whenever needed using the hashed passwords
// salt is a guid we store seperately, its the id of the user
byte[] GetHash(byte[] password, byte[] salt)
{
byte[] saltAndPassword = salt.Concat(password).ToArray();
var hmac = HMACSHA256();
hmac.Key = password;
var hash = hmac.ComputeHash(saltAndPassword);
return hash;
}
notice that the key is password, and the hash is generated on salt+password
can we have the password as the key to hash the salt+password, will that comprise security? when using HMACSHA256, do we necessarily have to have a key management inorder to use seperate keys rather than passwords?
also, do keys have to be unique in HMACSHA256?
i know that people often suggest slow functions like - PBKDF2, Scrypt etc..
but is using HMACSHA256 safe too? do people actually use a hmac for hashing and storing passwords? what would be the recommended approach for hashing and storing passwords(if all you have is passwords and unique salts)?
apologies for the parade of questions :) thank you in advance
Aucun commentaire:
Enregistrer un commentaire