For Microsoft.AspNetCore.Identity:
When PasswordHasherOptions.IterationCount is < 100,000:
Use at least 10 000 iterations here.
When PasswordHasherOptions.CompatibilityMode is set to PasswordHasherCompatibilityMode.IdentityV2:
Identity v2 uses only 1000 iterations. Considers changing to identity V3.
For Microsoft.AspNetCore.Cryptography.KeyDerivation:
When KeyDerivation.Pbkdf2 is called with iterationCount < 100,000:
Use at least 100,000 iterations here.
For System.Security.Cryptography:
When Rfc2898DeriveBytes is instantiated with an iterations parameter < 100,000.
When Rfc2898DeriveBytes.Pbkdf2 is called with an iterations parameter < 100,000.
Use at least 100,000 iterations here.
When Rfc2898DeriveBytes is instantiated without a hashAlgorithm parameter.
Use at least 100,000 iterations and a state-of-the-art digest algorithm here.
For Microsoft.AspNet.Identity:
When a PasswordHasher is instantiated.
PasswordHasher does not support state-of-the-art parameters. Use Rfc2898DeriveBytes instead.
When Rfc2898DeriveBytes is instantiated with an iterations parameter < 100,000.
Use at least 100,000 iterations here.
When Rfc2898DeriveBytes is instantiated without a hashAlgorithm parameter.
Use at least 100,000 iterations and a state-of-the-art digest algorithm here.
For Org.BouncyCastle.Crypto.Generators.OpenBsdBCrypt, or Org.BouncyCastle.Crypto.Generators.BCrypt:
When Generate is called with cost < 12:
Use a cost factor of at least 12 here.
For Org.BouncyCastle.Crypto.PbeParametersGenerator:
When Init is called with iterationCount < 100,000:
Use at least 100,000 iterations here.
For Org.BouncyCastle.Crypto.Generators.SCrypt:
-
When
Generateis called with N < 2^12:
Use a cost factor of at least 2^12 for N here.
-
When
Generateis called with r < 8:
Use a memory factor of at least 8 for r here.
-
When
Generateis called with dkLen < 32:
Use an output length of at least 32 for dkLen here.