Do not use a predictable salt

Docs > Code Analysis > Static Analysis Rules > Do not use a predictable salt

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/no-predictable-salt

Language: C#

Severity: Error

Category: Security

CWE: 760

Description

A salt to hash a password should always be different for each user. Otherwise, it becomes an attack vector. As mentioned on Wikipedia “The way salting is typically done is that a new salt is randomly generated for each password”.

Learn More

Non-Compliant Code Examples

using System.Security.Cryptography;

class MyClass {
    public static void createHashedPassword1(password)
    {
        var salt = Encoding.UTF8.GetBytes("myuniquesalt");
        return new Rfc2898DeriveBytes(password, salt);
    }

    public static void createHashedPassword2(password)
    {
        return new Rfc2898DeriveBytes(password, Encoding.UTF8.GetBytes("myuniquesalt"));
    }

    public static void createHashedPassword3(password)
    {
        return new Rfc2898DeriveBytes(password, GetBytes("myuniquesalt"));
    }
}

Compliant Code Examples

using System.Security.Cryptography;

class MyClass {
    public static void createHashedPassword(password)
    {
        return new Rfc2898DeriveBytes(password, 32);
    }
}