C# authentication security best practices

I am trying to harden the security of authentication of my C# application. I have my own server that I authenticate against, and have implemented a service that can create new password hashs from a random salt that is generated on the fly and can verify the password against a saved down password+salt that is hashed. I am saving the hashed pw+salt in an xml file on the server side.

Q1. Is it safer just to store the salt and then have the user enter the password every time he sta开发者_运维问答rts a seesion? Q2. I would like to make it easy for the user (inside of a corporate LAN) and allow the "automatically" be authenticated based on his AD login user name. What is the best way to do this? Can I save a token or a certificate on the client side that times out every week or so?

Cheers, Lasse

Short Answer: BCrypt

As described in this answer:

Bcrypt has the best kind of repute that can be achieved for a cryptographic algorithm: it has been around for quite some time, used quite widely, "attracted attention", and yet remains unbroken to date.

I've written up a detailed article about how to implement BCrypt in various frameworks here: http://davismj.me/blog/bcrypt