MVC 3 Crypto Helper -- Will this add extra shield to make the password more secure?

A

string salt = Crypto.GenerateSalt();
string saltAndPwd = String.Concat(originalPassword, salt);
string hashedPwd = Crypto.HashPassword(saltAndPwd);

B

string hashedPwd = Crypto.HashPassword(originalPassword);

May i know Method A and Method B, which is more secure ? or which is the correct approach ? with reflector, i found this is the hash password method in the core :

public static string HashPassword(string password)
{
if (password == null)
{
    throw n开发者_如何学Pythonew ArgumentNullException("password");
    }
    return HashWithSalt(password, GenerateSaltInternal(0x10));
}

As the main purpose of using a salt is to defeat rainbow tables, adding additional salt to what HashPassword already does doesn't seem like it will gain you much benefit, and only incur additional overhead (as you have to store the salt you generate yourself. HashPassword builds it into the returned value). For reference, this is what HashPassword does:

The password hash is generated with the RFC 2898 algorithm using a 128-bit salt, a 256-bit subkey, and 1000 iterations. The format of the generated hash bytestream is {0x00, salt, subkey}, which is base-64 encoded before it is returned.

So, in short, what's in the framework already is good enough for any reasonable definition of good enough.