Have you thought much about how to securely store passwords?  Having users create an account for a website is a very common process these days. Many social websites accomplish this by tying into Twitter, Facebook, or Google accounts with OAuth.

Internal enterprise website sites are more likely to do something with the user's Windows domain credentials. These are all great options that can when used appropriately, give websites more features and information to enhance a user's experience.

Securely Store Passwords

Sometimes a website just needs a standalone user database.  Maybe it will be in a disconnected environment with no Internet or domain, to provide administrative abilities for a paid service, or something else entirely. In these cases, the user's credentials, specifically their password, will be stored in the application's database. The goal of this article is to describe the steps that need to be taken when storing passwords in the database to make sure that it will be very difficult for an evil actor (e.g. hacker) to retrieve one or many of these passwords.

Using a Hashing Algorithm

While the process of securing a password is typically called encrypting, encryption is not a tool that should be used when securing passwords. This is because encryption is designed to be reversed and this conversion from a random string of bytes back into the user's password is the very thing we are trying to avoid. Instead, we want to use a hashing algorithm on the password because they are only one way, so the evil actor cannot extract the password from the has.

Also, we don't want to use just any hashing algorithm such MD5 or SHA2, but instead one that is slow and expensive. This is something that gets magnified on the evil actor's side because they will be several thousands of hashes for every one that the web server will be doing. The slower we can make the hash of a single password, the more expensive it is for an evil actor to get one.

There are three hashing algorithms that are widely accepted for the purpose of hashing passwords: PBKDF2, bcrypt, and scrypt. Of these three algorithms, only PBKDF2 is included in the .NET libraries provided by Microsoft, though both bcrypt and scrypt are available in multiple 3rd party libraries and NuGet packages. The biggest difference between these algorithms is that scrypt is designed to be very memory intensive in addition to the CPU intensity that all three of these algorithms share. The reason that is desired is that it makes it much harder for evil actors to create hardware specifically for hacking the passwords.

Securely Store Passwords Iterations

In addition to choosing a slow hashing algorithm, we want to run the hash several times to further slow down the hashing process. Generally speaking, the number of iterations should be in the thousands, though the exact number will depend on the hardware that the website will be running on and the number of requests the web server will be handling at any one time. The better the hardware and the lower the number of requests, the higher the number of iterations can be without impacting the user's experience. Ideally, the hashing process should take between a tenth and a half a second, though that is something that can change depending on the nature of the website and the data it provides.


By choosing a correct hashing algorithm with thousands of iterations and applying a salt and optionally a pepper to the process, we can get a unique value for each user. This value will be one that evil actors (e.g. hackers) will have a difficult time reversing but can be used rather easily by a web server to verify a user's login information. It will allow the users of the website to have comfort and trust that their information is secure and that no one could impersonate them on the website.

Next Steps

Review our case studies and engagements where we helped companies just like yours solve a variety of business needs.

About Oakwood

Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems.  We bring world-class consultants to architect, design and deploy technology solutions to move your company forward.   Our proven approach guarantees better business outcomes.  With flexible engagement options, your project is delivered on-time and on budget.  11,000 satisfied clients can’t be wrong.