Password hashing uses an unverified algorithm #6

dotnetchris opened this Issue Aug 15, 2012 · 4 comments


None yet

3 participants


If AppHarbor is very serious about this package it should either switch to PBKDF2 (what I recommend) otherwise it should proactively assume the burden and costs to have the BCrypt implementation verified such that AppHarbor.Web.Security can be viewed as truly secure for it's dependence on BCrypt.


I want to point out that only the example project has a dependency on BCrypt. The base AppHarbor.Web.Security library itself does not.

@dotnetchris dotnetchris reopened this Aug 15, 2012

If merely the sample uses BCrypt, I would strongly advocate switching to PBKDF2 in the sample. This will prevent users from following the sample and unknowingly open themselves up to liability for not using a verified algorithm (especially government software development)


@dotnetchris you can always submit a pull request to show how PBKDF2 would be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment