Can someone help me understand the usage of a salt in PasswordDeriveBytes? I think I understand, but I want confirmation. Right now, I create a salt for each user when the user is created. I use PasswordDeriveBytes to create a userkey based on a password and the salt. Then I store the userkey and the salt. Now, I don't want to transmit a password over the wire right? So client side code needs three things to prepare its authentication message. 1) the password from the user, 2) a nonce, and 3) the salt. I have not stored the password because I don't want an attacker to be able to walk off with the password file. I have not stored a simple hashed password because I don't want an attacker to be able to walk off with the password file and use dictionary attacks against it. I have stored a salted hashed password - so the client needs the salt in order to create the user key. Is this right? Should I be allowing anyone to say "My user name is joe, what is the salt I should be using?".
Thanks in advance, Ed Pinto You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
