I have read that when hashing a password, many recommend using the BCrypt algorithm. I am programming in C# and is wondering if anyone know of a good and correct implementation. Found this page here, with one, but I don't really know if it is bogus or not. Although, to a non crypting expert, the code looks kind of impressive and comples :p
A:
I found this page that have a code implement the Blowfish password protection. Take a look.
ecleel
2009-01-26 20:32:21
That seemed like something else... and it was in like... italien? From what I could get through Google Translator, it seems like it was something related to convert an existing password system to something else... But thanks for taking the time anyways :)
Svish
2009-01-26 21:30:32
A:
Svish,
i'm not a cryptography expert either but i have analyzed a few hashing algorithms in the past and this one, at least with a quick look, seems to use some of the same methodologies as other algorithms.
i also built and ran the code in Snippet Compiler and performed a couple of tests both of which returned the correct, expected result.
As i was working through this i recalled why i was looking into hash algs in the past in the first place: One day, years ago i was reading MSDN documentation on mD5 and noticed somewhere in the text that the algorithm was not guaranteed to remain the same between releases. This meant that a 1.1 MD5 hash might return a different result than a 2.0 MD5 hash. i'm not sure if that is indeed the case but the disclosure was there. Since i was writing an app that was expected to stand the test of time, this disclosure scared the heck out of me and i set out to implement my own hashing algorithm which would build with my assemblies and never change.
The summarize that long-winded paragraph: You might be better off in the long run writing your own hash alg rather than depending on MS's whims.
btw. After further examination of the code, the only reason that the System.Security.Cryptography namespace is used is for random number generation. There is no dependency on existing hash algorithms.
Paul Sasik
2009-01-26 21:18:10
Thanks for the advice. Think I will probably go with that one. Seems easy to use, and pretty straight forward. On the matter of implementing my own hash alg, I would say I am not that crazy :p Don't trust my skills that well... hehe. And it is adviced against all over the place...
Svish
2009-01-26 21:29:12
wtf? never implement your own password-hashing algorithm - you'll get it wrong and there's no need, standard implementations exist and no, they won't change between releases. For secure password hashing in .NET you can use Rfc2898DeriveBytes from the standard library, or use the linked bcrypt library, just don't design one yourself.
orip
2010-08-24 06:33:08