/
password-hashing-in-dotnet.html
63 lines (49 loc) · 2.82 KB
/
password-hashing-in-dotnet.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en-us">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Password Hashing in .NET</title>
<meta name="author" content="Joey Bratton" />
<!-- Homepage CSS -->
<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen, projection" />
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-8032568-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<div class="site">
<div class="title">
<a href="/">Joey Bratton</a>
</div>
<div id="post">
<h1>Password Hashing in .NET</h1>
<p class="meta">15 February 2012</p>
<p>I'm currently in the process of extracting a lot of the generic, boilerplate code that I use regularly and building a series of re-usable libraries. One of the first pieces that I wanted to tackle was to build a reliable password hashing library that followed current best practices for how to securely hash user passwords.</p>
<p>The vast majority of projects that I've seen have used either MD5 or SHA for hashing their passwords. Both of those hashing algorithms have valid use cases, but they are both far too fast to be used for hashing password data. <a href="http://codahale.com">Coda Hale</a>'s article on <a href="http://codahale.com/how-to-safely-store-a-password/">How To Safely Store A Password</a> goes in depth into the problems caused by using a general purpose hashing algorithm for passwords. Unfortunately there doesn't seem to be a verified implementation of bcrypt for .NET, but there is a built-in implementation of <a href="http://en.wikipedia.org/wiki/PBKDF2">PBKDF2</a> in the .NET Framework.</p>
<p>The hashing functionality was extracted from the <a href="http://code.google.com/p/stackid/">Stack Exchange OpenID Project</a>. You can find the source code for the library <a href="https://github.com/joeyb/JoeyB.Security">on github</a>.</p>
</div>
<div class="footer">
<div class="contact">
<p>
Joey Bratton<br />
Software Developer at <a href="http://ignew.com/">igNew, LLC.</a><br />
joey@joeyb.org
</p>
</div>
<div class="contact">
<p>
<a href="http://github.com/joeyb/">github.com/joeyb</a><br />
<a href="http://twitter.com/joeybratton/">twitter.com/joeybratton</a>
</p>
</div>
</div>
</div>
</body>
</html>