Click here to Skip to main content
14,699,322 members
Articles » General Programming » Cryptography & Security » Encryption
Technical Blog
Posted 12 Oct 2012

Tagged as


23 bookmarked

Use BCrypt to Hash Your Passwords: Example for C# and SQL Server

Rate me:
Please Sign up or sign in to vote.
5.00/5 (16 votes)
12 Oct 2012CPOL
Some implementation details

By now, you know passwords should be stored using a hash. Given your decision to do the right thing and hash your passwords, you still have to decide on some implementation details.

First, choose a hashing algorithm. Choose BCrypt. Why BCrypt? I’ll give you two reasons:

  1. It is slow, and slow is good because it thwarts brute-force attacks (read more here).
  2. The output from BCrypt is a Base-64 alphabet ( which means there are no characters that are tricksy to store in a simple character field; CodePage is irrelevant.

Second, find a reliable implementation of BCrypt. I am going to show an example of using C#.NET and SQL Server, but here is a good reference I found using PHP and MySQL ( I also say a “reliable implementation” because there are flaws in some implementations, such as one discovered in 2011 and discussed in these articles (, (Search for $2y$) in this second article. – $2y$ indicates you are using a version of BCrypt for Unix that does not contain this bug).

I am using Derek Slager’s C# implementation of BCrypt downloaded from here. Based on a little testing I did myself, I believe it does not contain the flaw cited in the above article, but I am no expert at this. Even if the bug discovered in 2011 exists in this implementation of BCrypt, it is of little concern to me as all of my users are located within the U.S. and are extremely unlikely to be using password characters that cannot be directly entered from a standard keyboard (characters with ASCII values greater than 127). And even if a user does have such a password, the attack vector remains incredibly tiny for exploitation.

Third, understand the inputs and outputs. BCrypt includes a method to generate a salt. When the salt is applied to the password, the resulting hash holds the original salt and the hashed password. You can store the salt and password combined in a CHAR(60) field in your database. You don’t need to store the hashed password separately from the salt, nor should you, since the BCrypt class contains a method that expects the salt and password combined to be passed in as a parameter when later confirming the correctness of the user-entered password.

Note, the salt always begins with something like $2a$10$ meaning version 2a of BCrypt and 10 rounds of computations. 10 rounds is the default. You can choose larger numbers to make it slower, or smaller numbers to make it faster, but 10 is a really good choice for most of us. Since the rest of the salt is 22 bytes, and the $2a$10$ is 7 bytes for a total of 29 bytes, the hashed password is always the remaining 31 bytes. The total length of the output that you will store in the database is always 60 bytes long.

string myPassword = "password";
string mySalt = BCrypt.GenerateSalt();
//mySalt == "$2a$10$rBV2JDeWW3.vKyeQcM8fFO"
string myHash = BCrypt.HashPassword(myPassword, mySalt);
//myHash == "$2a$10$rBV2JDeWW3.vKyeQcM8fFO4777l4bVeQgDL6VIkxqlzQ7TCalQvla"
bool doesPasswordMatch = BCrypt.CheckPassword(myPassword, myHash);

Each password stored will have a different salt, and every time a user changes their password you will generate a new salt for the user. I also encourage you to add a little hard-coded salt to the password. This hard-coded salt adds a little more challenge to brute force attacks from hackers that steal your database, but have not stolen your code and don’t have the hard-coded salt.

private void SetPassword(string user, string userPassword)
   string pwdToHash = userPassword + "^Y8~JJ"; // ^Y8~JJ is my hard-coded salt
   string hashToStoreInDatabase = BCrypt.HashPassword(pwdToHash, BCrypt.GenerateSalt());
   using (SqlConnection sqlConn = new System.Data.SqlClient.SqlConnection(...)
     SqlCommand cmSql = sqlConn.CreateCommand();
     cmSql.CommandText = "UPDATE LOGINS SET PASSWORD=@parm1 WHERE USERNAME=@parm2";
     cmSql.Parameters.Add("@parm1", SqlDbType.Char);
     cmSql.Parameters.Add("@parm2", SqlDbType.VarChar);
     cmSql.Parameters["@parm1"].Value = hashToStoreInDatabase;
     cmSql.Parameters["@parm2"].Value = user;

private bool DoesPasswordMatch(string hashedPwdFromDatabase, string userEnteredPassword)
    return BCrypt.CheckPassword(userEnteredPassword + "^Y8~JJ", hashedPwdFromDatabase);

Another reference to BCrypt compared to SHA512:


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Rob Kraft
Software Developer (Senior) CentralSquare, Inc.
United States United States
Rob Kraft is a software developer for CentralSquare, Inc. He has been a software developer since the mid 80s and has a Master's Degree in Project Management. Rob lives near Kansas City, Missouri.

Comments and Discussions

QuestionWhat namespace do I use? Pin
The Magical Magikarp8-Feb-20 20:55
MemberThe Magical Magikarp8-Feb-20 20:55 
AnswerRe: What namespace do I use? Pin
Rob Kraft9-Feb-20 4:21
professionalRob Kraft9-Feb-20 4:21 
GeneralRe: What namespace do I use? Pin
The Magical Magikarp9-Feb-20 13:41
MemberThe Magical Magikarp9-Feb-20 13:41 
GeneralRe: What namespace do I use? Pin
The Magical Magikarp9-Feb-20 13:54
MemberThe Magical Magikarp9-Feb-20 13:54 
GeneralRe: What namespace do I use? Pin
Rob Kraft9-Feb-20 15:31
professionalRob Kraft9-Feb-20 15:31 
QuestionSalt?? Pin
roland_h4-Dec-16 17:39
Memberroland_h4-Dec-16 17:39 
AnswerRe: Salt?? Pin
Rob Kraft5-Dec-16 3:10
professionalRob Kraft5-Dec-16 3:10 
GeneralMy vote of 5 Pin
DiponRoy26-May-15 1:45
mvaDiponRoy26-May-15 1:45 
GeneralRe: My vote of 5 Pin
Rob Kraft26-May-15 3:29
professionalRob Kraft26-May-15 3:29 
GeneralVery helpful Pin
Wakabajashij14-Aug-14 21:56
MemberWakabajashij14-Aug-14 21:56 
GeneralRe: Very helpful Pin
Rob Kraft15-Aug-14 3:20
professionalRob Kraft15-Aug-14 3:20 
GeneralMy vote of 5 Pin
Alan Ball4-Sep-13 7:12
MemberAlan Ball4-Sep-13 7:12 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.