For Microsoft.AspNetCore.Identity
:
When PasswordHasherOptions.IterationCount
is < 100,000:
Use at least 10 000 iterations here.
When PasswordHasherOptions.CompatibilityMode
is set to PasswordHasherCompatibilityMode.IdentityV2
:
Identity v2 uses only 1000 iterations. Considers changing to identity V3.
For Microsoft.AspNetCore.Cryptography.KeyDerivation
:
When KeyDerivation.Pbkdf2
is called with iterationCount
< 100,000:
Use at least 100,000 iterations here.
For System.Security.Cryptography
:
When Rfc2898DeriveBytes is instantiated with an iterations
parameter < 100,000.
When Rfc2898DeriveBytes.Pbkdf2 is called with an iterations
parameter < 100,000.
Use at least 100,000 iterations here.
When Rfc2898DeriveBytes is instantiated without a hashAlgorithm
parameter.
Use at least 100,000 iterations and a state-of-the-art digest algorithm here.
For Microsoft.AspNet.Identity
:
When a PasswordHasher
is instantiated.
PasswordHasher does not support state-of-the-art parameters. Use Rfc2898DeriveBytes instead.
When Rfc2898DeriveBytes is instantiated with an iterations
parameter < 100,000.
Use at least 100,000 iterations here.
When Rfc2898DeriveBytes is instantiated without a hashAlgorithm
parameter.
Use at least 100,000 iterations and a state-of-the-art digest algorithm here.
For Org.BouncyCastle.Crypto.Generators.OpenBsdBCrypt
, or Org.BouncyCastle.Crypto.Generators.BCrypt
:
When Generate
is called with cost < 12:
Use a cost factor of at least 12 here.
For Org.BouncyCastle.Crypto.PbeParametersGenerator
:
When Init
is called with iterationCount
< 100,000:
Use at least 100,000 iterations here.
For Org.BouncyCastle.Crypto.Generators.SCrypt
:
-
When
Generate
is called with N < 2^12:
Use a cost factor of at least 2^12 for N here.
-
When
Generate
is called with r < 8:
Use a memory factor of at least 8 for r here.
-
When
Generate
is called with dkLen < 32:
Use an output length of at least 32 for dkLen here.