HashPassword Method for Entity Framework MVC3 Razor Custom Member Provider C# Using LINQ

From my C# MVC3 Razor Custom Membership Provider article and source code, here is the code for the HashPassword method. I welcome any suggestions for improvement.
// helper method
private byte[] HashPassword(string password)
    // NKT: This will only work with a new database, 
// otherwise existing passwords will be broken. // If you use this, be sure to set the saltvalue to your own
// customization in the web.config file in your web app // <add key="SaltValue" value="*!ShiningStar!*" /> // This won't work with an existing database, as they won't have the salt value // so make sure you alter the password hash or encryption as needed for an existing database... CryptoProvider crypto = new CryptoProvider(); byte[] hashedPassword = crypto.EncryptData(password.Trim()); return hashedPassword; } public static string GetSaltValue() { string saltValue = ConfigurationManager.AppSettings["SaltValue"]; return saltValue; } public byte[] EncryptData(string dataString) { // NKT: custom method using functionality from this article // http://www.4guysfromrolla.com/articles/103002-1.2.aspx // salting has value //http://www.4guysfromrolla.com/articles/112002-1.aspx // this isn't as secure as a unique salt per user, but if you use a unique salt per site,
//at least they won't know that salt value if they steal the
// database and not the web.config file // store the saltvalue in the web.config file. make unique per website. string saltedString = dataString + GetSaltValue(); MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider(); byte[] hashedDataBytes = null; UTF8Encoding encoder = new UTF8Encoding(); hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(saltedString)); return hashedDataBytes; }



  • Further to my comments on your previous post, here's some more information on why it's a bad idea to use the same salt value for all passwords:


  • And another:

Comments have been disabled for this content.