PBKDF2 for Password Hashing C# with Example
PBKDF2 ("Password-Based Key Derivation Function 2") is one of the recommended hash-functions for password-
hashing. It is part of rfc-2898.
.NET's Rfc2898DeriveBytes-Class is based upon HMACSHA1.
public const int SALT_SIZE = 24; // size in bytes
public const int HASH_SIZE = 24; // size in bytes
public const int ITERATIONS = 100000; // number of pbkdf2 iterations
public static byte CreateHash(string input)
// Generate a salt
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte salt = new byte[SALT_SIZE];
// Generate the hash
Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(input, salt, ITERATIONS);
PBKDF2 requires a salt and the number of iterations.
A high number of iterations will slow the algorithm down, which makes password cracking a lot harder. A high
number of iterations is therefor recommended. PBKDF2 is order of magnitudes slower than MD5 for example.
A salt will prevent the lookup of hash values in rainbow tables. It has to be stored alongside the password hash.
One salt per password (not one global salt) is recommended.