Do not use a predictable salt

Docs > Code Analysis > Static Analysis Rules > Do not use a predictable salt

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: csharp-security/no-predictable-salt

Language: C#

Severity: Error

Category: Security

CWE: 760

Description

A salt to hash a password should always be different for each user. Otherwise, it becomes an attack vector. As mentioned on Wikipedia “The way salting is typically done is that a new salt is randomly generated for each password”.

Learn More

Non-Compliant Code Examples

using System.Security.Cryptography;

class MyClass {
    public static void createHashedPassword1(password)
    {
        var salt = Encoding.UTF8.GetBytes("myuniquesalt");
        return new Rfc2898DeriveBytes(password, salt);
    }

    public static void createHashedPassword2(password)
    {
        return new Rfc2898DeriveBytes(password, Encoding.UTF8.GetBytes("myuniquesalt"));
    }

    public static void createHashedPassword3(password)
    {
        return new Rfc2898DeriveBytes(password, GetBytes("myuniquesalt"));
    }
}

Compliant Code Examples

using System.Security.Cryptography;

class MyClass {
    public static void createHashedPassword(password)
    {
        return new Rfc2898DeriveBytes(password, 32);
    }
}