Closed paulhickman closed 6 years ago
Not sure why I didn't see your comment earlier.
Not only did I do it wrong in the example code, but worse, I did it wrong in the actual code.
While you are correct that a more secure hash is better, I have to admit, I just didn't know how to do it in .Net Core (after spending probably less than a minute looking). The reason why I did not spend much time is that I know their is 2^32 starting positions for the standard random number generator and the main reason for the salt is to make cracking mechanisms like rainbow tables infeasible. Increasing the search space of a brute force algorithm by a factor of 4 billion typically makes it pretty infeasible.
Having said that, your comment is correct and I have modified the code (and the example code) to use "System.Security.Cryptography.RandomNumberGenerator.Create().GetBytes(salt)".
In your example usage, you should use RNGCryptoServiceProvider to generate the salt - Random.NextBytes() is not cryptographically secure.
See https://crackstation.net/hashing-security.htm for details of why.