Nowhere in the code did we decrypt the password. In fact, the password is never stored anywhere. We always worked with the hash of the password. Here are the important points to take away from this recipe:
- Never use the Random class in C# to generate your salt. Always use the RNGCryptoServiceProvider class.
- Never reuse the same salt in your code. So don't create a constant with your salt and use it to salt all the passwords in your system.
- Never tell the user that the password is incorrect if the password didn't match. Also, never tell the user that they entered an incorrect username. This prevents someone trying to compromise the system after discovering that they got one of the two login credentials correct. Rather, if ...