发表新帖
发表新帖

Hash Password in C#? Bcrypt/PBKDF2

前端 未结
关注
9 1020
傲寒
傲寒 2020-12-22 20:06

I looked up msdn and other resources on how to do this but i came up with no clear solutions. This is the best i found http://blogs.msdn.com/b/shawnfa/archive/2004/04/14/gen

相关标签:
9条回答
  • 春和景丽
    2020-12-22 20:40

    PBKDF2

    You were really close actually. The link you have given shows you how you can call the Rfc2898DeriveBytes function to get PBKDF2 hash results. However, you were thrown off by the fact that the example was using the derived key for encryption purposes (the original motivation for PBKDF1 and 2 was to create "key" derivation functions suitable for using as encryption keys). Of course, we don't want to use the output for encryption but as a hash on its own.

    You can try the SimpleCrypto.Net library written for exactly this purpose if you want PBKDF2. If you look at the implementation, you can see that it is actually just a thin wrapper around (you guessed it) Rfc2898DeriveBytes.

    BCrypt

    You can try the C# implementation named (what else) BCrypt.NET if you want to experiment with this variant.

    Disclaimer: I have not used or tested any of the libraries that I have linked to... YMMV

    0 讨论(0)
  • 北海茫月
    2020-12-22 20:50

    It took me forever (days it took days) to find what to actually code to get hashed passwords to work!! so I put it here for convenience.

    You do need to read the documentation and theory1 theory2 and then some or you could be open to security loopholes. Security is a very big topic! Buyer Beware!

    Add the NuGet Package BCrypt.Net to the solution

    const int WorkFactor = 14;
var HashedPassword = BCrypt.Net.BCrypt.HashPassword(Password, WorkFactor);

    You should adjust the WorkFactor to what is appropriate see discussions. Its a log2 function

    "The number is log2, so every time computers double in speed, add 1 to the default number."

    Then you store the hashed password in your db as passwordFromLocalDB and to test an incoming password like this: 

    if (BCrypt.Net.BCrypt.Verify(password, passwordFromLocalDB) == true)

    Good Luck!

    0 讨论(0)
  • 抹茶落季
    2020-12-22 20:53

    Earlier this year I was looking into the same thing for creating hashes for our ASP.NET Web Forms project, I wanted to do it the same way MVC projects do it out of the box.

    I stumbled upon this question => ASP.NET Identity default Password Hasher, how does it work and is it secure? Then I found the source with the ByteArraysEqual method here => http://www.symbolsource.org/MyGet/Metadata/aspnetwebstacknightly/Project/Microsoft.AspNet.Identity.Core/2.0.0-rtm-140327/Release/Default/Microsoft.AspNet.Identity.Core/Microsoft.AspNet.Identity.Core/Crypto.cs?ImageName=Microsoft.AspNet.Identity.Core

    0 讨论(0)
 看不清?
提交回复
热议问题