Skip to content

Password hashing uses an unverified algorithm #6

dotnetchris opened this Issue Aug 15, 2012 · 4 comments

3 participants


If AppHarbor is very serious about this package it should either switch to PBKDF2 (what I recommend) otherwise it should proactively assume the burden and costs to have the BCrypt implementation verified such that AppHarbor.Web.Security can be viewed as truly secure for it's dependence on BCrypt.


I want to point out that only the example project has a dependency on BCrypt. The base AppHarbor.Web.Security library itself does not.

@dotnetchris dotnetchris reopened this Aug 15, 2012

If merely the sample uses BCrypt, I would strongly advocate switching to PBKDF2 in the sample. This will prevent users from following the sample and unknowingly open themselves up to liability for not using a verified algorithm (especially government software development)


@dotnetchris you can always submit a pull request to show how PBKDF2 would be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.