Hi, you should consider encrypting that fixed random salt with dpapi :)
greetings dominick -----Urspr�ngliche Nachricht----- Von: Moderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED]] Im Auftrag von Craig Andera Gesendet: Mittwoch, 8. Januar 2003 19:30 An: [EMAIL PROTECTED] Betreff: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes > That's not the most earth-shattering way of doing things, but > it should slow > down any script-kiddie that gets the password file; he will > have to append > the username to every password try on every different table > row. It also > makes the salt different for each user, but is easier to > maintain than a > random number (or even a well-known hard-coded number) for each one. I use both: the password plus the username plus some fixed random salt from the config file. It's trivial to pull something out of the config file with ConfigurationSettings.AppSettings. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
