So, I am the approach David Hayden posted on his blog (http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx) to create a salt and hash the user's password by taking the user's raw password and the generated salt and using SHA1 to hash the value.
I then store the salt and the hashed password in the database.
The website is currently load balanced, so I was wondering if resulting hash value would be the same for both servers.
Here is the snippet of code posted on David Hayden's blog:
private static string CreateSalt(int size)
{
//Generate a cryptographic random number.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number.
return Convert.ToBase64String(buff);
}
private static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "sha1");
return hashedPwd;
}
The reason I ask is that this code uses the code snippet:
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "sha1");
I think the key question your asking here is if the SHA1 algorithm is the same whatever server it is running on. In which case the answer is yes.
Presumably you store your generated salt somewhere that all the servers can access it, along with the password hash? So the method used to generate the salt doesn't need to be consistent across servers.