Random String | Password Salt Suggestion

StackOverflow https://stackoverflow.com/questions/23652825

Question

If we compared my method below with RCIX's method in this answer to a question, which is more efficient and why?

private string RandomString(int length = 25)
{
    const string chars = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ0123456789#@%&";
    StringBuilder sbSalt = new StringBuilder();

    for (int i = 0; i < length; i++)
    {
        int inx = 0;

        inx = rnd.Next(0, chars.Length);
        sbSalt.Append(chars[inx]);
    }

    return sbSalt.ToString();
}

private Random rnd = new Random();

The reason I did "aAbBcC..." instead of "abc...ABC..." was to increase the chances of randomization between the lower and capital case of each letter since they are next to each other.

And also, for a password salt, is it best to keep duplicate characters or should I make sure that each character is only encountered once per salt? Then again, if I allow duplicate characters, the salt combination amount that can be generated is greater.

Thanks in advance!

UPDATE #1:

I realised that if I called the RandomString function again, it would return the exact same Random String, so to fix that I declared rnd as new Random only once by moving it outside the function.

Was it helpful?

Solution

The reason I did "aAbBcC..." instead of "abc...ABC..." was to increase the chances of randomization between the lower and capital case of each letter since they are next to each other. this will not increase randomness between upper and lower case.

You can test this with a dice, the places of the numbers will not change the odds of even and odd numbers.

The efficiency will depend on how you define it. Do you want your code to be more or less readable? Do you need high performance? Maintainability?

In normal cases I wouldn't prefer the one above the other.

Is it best to keep duplicate characters or should I make sure that each character is only encountered once per salt?

actually, the amount of permutations increase if you allow double characters.

This means the string will be harder to crack in a brute force attack.

If you are using this salt for encryption techniques, it's best to use the framework's libraries. Like GetBytes():

http://msdn.microsoft.com/en-us/library/system.security.cryptography.rngcryptoserviceprovider.aspx

OTHER TIPS

The main use of salt is to make a encryption more difficult for a dictionary attack.

I do like to create dirt on the key itself and so far it is very efficient as i have encryption running couple hundred encryption/decryption per seconds over WCF services :

// sKey being the encryption key

// adding dirt to the string to make it harder to guess using a dictionary attack.
byte[] Dirt = Encoding.ASCII.GetBytes(sKey.Length.ToString());

// The Key will be generated from the specified Key and dirt.
PasswordDeriveBytes FinalKey = new PasswordDeriveBytes(sKey, Dirt);

// to use : FinalKey.GetBytes(16)
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top