Click here to Skip to main content
11,928,732 members (56,604 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as


15 bookmarked

Use BCrypt to Hash Your Passwords: Example for C# and SQL Server

, 12 Oct 2012 CPOL
Rate this:
Please Sign up or sign in to vote.
Some implementation details.

By now you know passwords should be stored using a hash. Given your decision to do the right thing and hash your passwords you still have to decide some implementation details.

First, choose a hashing algorithm. Choose BCrypt. Why BCrypt? I’ll give you two reasons:

  1. It is slow, and slow is good because it thwarts brute-force attacks (read more here:
  2. The output from BCrypt is a Base-64 alphabet ( which means there are no characters that are tricksy to store in a simple character field; CodePage is irrelevant.

Second, find a reliable implementation of BCrypt. I am going to show an example of using C#.Net and SQL Server, but here is a good reference I found using  PHP and MySQL ( I also say a “reliable implementation” because there are flaws in some implementations, such as one discovered in 2011 and discussed in these articles ( (Search for $2y$) in this second article. – $2y$ indicates you are using a version of BCrypt for Unix that does not contain this bug).

I am using Derek Slager’s C# implementation of BCrypt downloaded from here: Based on a little testing I did myself, I believe it does not contain the flaw cited in the above article, but I am no expert at this. Even if the bug discovered in 2011 exists in this implementation of BCrypt, it is of little concern to me as all of my users are located within the U.S. and are extremely unlikely to be using password characters that cannot be directly entered from a standard keyboard (characters with ASCII values greater than 127). And even if a user does have such a password, the attack vector remains incredibly tiny for exploitation.

Third, understand the inputs and outputs. BCrypt includes a method to generate a salt. When the salt is applied to the password, the resulting hash holds the original salt and the hashed password. You can store the salt and password combined in a CHAR(60) field in your database. You don’t need to store the hashed password separately from the salt, nor should you, since the BCrypt class contains a method that expects the salt and password combined to be passed in as a parameter when later confirming the correctness of the user-entered password.

Note, the salt always begins with something like $2a$10$ meaning version 2a of BCrypt and 10 rounds of computations. 10 rounds is the default. You can choose larger numbers to make it slower, or smaller numbers to make it faster, but 10 is a really good choice for most of us. Since the rest of the salt is 22 bytes, and the $2a$10$ is 7 bytes for a total of 29 bytes, the hashed password is always the remaining 31 bytes. The total length of the output that you will store in the database is always 60 bytes long.

string myPassword = "password";
string mySalt = BCrypt.GenerateSalt();
//mySalt == "$2a$10$rBV2JDeWW3.vKyeQcM8fFO"
string myHash = BCrypt.HashPassword(myPassword, mySalt);
//myHash == "$2a$10$rBV2JDeWW3.vKyeQcM8fFO4777l4bVeQgDL6VIkxqlzQ7TCalQvla"
bool doesPasswordMatch = BCrypt.CheckPassword(myPassword, myHash);

Each password stored will have a different salt, and every time a user changes their password you will generate a new salt for the user. I also encourage you to add a little hard-coded salt to the password. This hard-coded salt adds a little more challenge to brute force attacks from hackers that steal your database, but have not stolen your code and don’t have the hard-coded salt.

private void SetPassword(string user, string userPassword)
   string pwdToHash = userPassword + "^Y8~JJ"; // ^Y8~JJ is my hard-coded salt
   string hashToStoreInDatabase = BCrypt.HashPassword(pwdToHash, BCrypt.GenerateSalt());
   using (SqlConnection sqlConn = new System.Data.SqlClient.SqlConnection(...)
     SqlCommand cmSql = sqlConn.CreateCommand();
     cmSql.CommandText = "UPDATE LOGINS SET PASSWORD=@parm1 WHERE USERNAME=@parm2";
     cmSql.Parameters.Add("@parm1", SqlDbType.Char);
     cmSql.Parameters.Add("@parm2", SqlDbType.VarChar);
     cmSql.Parameters["@parm1"].Value = hashToStoreInDatabase;
     cmSql.Parameters["@parm2"].Value = user;

private bool DoesPasswordMatch(string hashedPwdFromDatabase, string userEnteredPassword)
    return BCrypt.CheckPassword(userEnteredPassword + "^Y8~JJ", hashedPwdFromDatabase);

Another reference to BCrypt compared to SHA512:


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Rob Kraft
Web Developer Kraft Software Solutions, Inc.
United States United States
Rob Kraft is an independent software developer for Kraft Software Solutions, Inc. He has been a software developer since the mid 80s and has a Master's Degree in Project Management. Rob lives near Kansas City, Missouri.

You may also be interested in...

Comments and Discussions

GeneralMy vote of 5 Pin
DiponRoy26-May-15 1:45
memberDiponRoy26-May-15 1:45 
GeneralRe: My vote of 5 Pin
Rob Kraft26-May-15 3:29
professionalRob Kraft26-May-15 3:29 
GeneralVery helpful Pin
Wakabajashij14-Aug-14 21:56
memberWakabajashij14-Aug-14 21:56 
GeneralRe: Very helpful Pin
Rob Kraft15-Aug-14 3:20
memberRob Kraft15-Aug-14 3:20 
GeneralMy vote of 5 Pin
Alan Ball4-Sep-13 7:12
memberAlan Ball4-Sep-13 7:12 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.151126.1 | Last Updated 12 Oct 2012
Article Copyright 2012 by Rob Kraft
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid