Which of the .NET included hashing algorithms are suitable for password hashing?

Question

The password leak of LinkedIn proved how important it is to securely hash your passwords. However, even hashing passwords with a salt is not secure with the \'normal\' hashi

Answer 1

I think it's not really a meaningful Class name, but I do think it is included in the .NET framework. According to multiple sources, Rfc2898DeriveBytes is actually a PBKDF2 implementation. MSDN says so as well.

See Why do I need to use the Rfc2898DeriveBytes class (in .NET) instead of directly using the password as a key or IV? and PBKDF2 implementation in C# with Rfc2898DeriveBytes

for example.

Answer 2

There is no hashing algorith that is 100% secure. The linkedin hack was more due to infrastructure/code security than the hashing algorithm. Any hash can be calculated, it just takes longer the more complicated the hashing algortihm is. Some attacks such as collision attacks are not actually much slower to accomplish on a more complicated hash.

I always ensure that i hash passwords (never just encrypt), restrict access to servers. All developers workingfor me understand at least the basics of security (sql injection, overflows etc) and any high profile site i work on is pen-tested.

Answer 3

There is also:

http://bcrypt.codeplex.com/ (bcrypt)

http://www.zer7.com/software.php?page=cryptsharp (scrypt, etc)