You're on the right track with PBKDF2 / Rfc2898DeriveBytes
. If you just need it for hashing passwords, have a look at SimpleCrypto.Net, which is basically a thin wrapper around Rfc2898DeriveBytes
.
With SimpleCrypto.Net, you hash a user's password like this:
private ICryptoService cryptoService = new PBKDF2();
private void SetNewPassword(User user, string newPassword)
{
//a new password hash is generated from a generated salt with the default settings
user.Password = cryptoService.Compute(newPassword);
//assigning the generated salt to the user
user.PasswordSalt = cryptoService.Salt;
}
To check if a user entered the right password, you compute the hash with the same salt and compare it with the one you stored in your database:
private bool ValidatePassword(User user, string password)
{
//hash the password with the saved salt for that user
string hashed = cryptoService.Compute(password, user.PasswordSalt);
//return true if both hashes are the same
return hashed == user.Password;
}
Another possibility for securely hashing passwords is bcrypt. There is an implementation called BCrypt.Net.