Menu
The takeaway is this: bcrypt is a secure algorithm but remember that it caps passwords at 72 bytes. You can either check if the passwords are the proper size, or opt to switch to argon2, where you'll have to set a password size limit.
A lot of your research is correct and still applies in 2021, so it is still secure to use BCrypt (which usually generates its own random salt for each password). Good password hashing algorithms are Argon2, SCrypt and BCrypt, they all offer a cost factor which controls the necessary time.
Bcrypt | Fat-Free Framework for PHP.
bcrypt is a very hard to crack hashing type, because of the design of this slow hash type that makes it memory hard and GPU-unfriendly (especially with high cost factors).
It sounds like you are looking for BCrypt.net:
BCrypt.net is an implementation of OpenBSD's Blowfish-based password hashing code, described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. It is a direct port of jBCrypt by Damien Miller, and is thus released under the same BSD-style license. The code is fully managed and should work with any little-endian CLI implementation -- it has been tested with Microsoft .NET and Mono.
BCrypt.Net seems to be a most popular library at this moment
http://bcrypt.codeplex.com/
Here is an example how to use it for hashing password:
[TestMethod]
public void BCryptTest()
{
const string password = "PASSWORD";
const int workFactor = 13;
var start = DateTime.UtcNow;
var hashed = BCrypt.Net.BCrypt.HashPassword(password, workFactor);
var end = DateTime.UtcNow;
Console.WriteLine("hash length is {0} chars", hashed.Length);
Console.WriteLine("Processing time is {0} with workFactor {1}", end - start, workFactor);
Console.WriteLine("Hashed password: {0} ", hashed);
Console.WriteLine("correct password {0}", BCrypt.Net.BCrypt.Verify("PASSWORD", hashed));
Console.WriteLine("incorrect password {0}", BCrypt.Net.BCrypt.Verify("PASSWORd", hashed));
}
Sample output:
hash length is 60 chars
Processing time is 00:00:01.0020000 with workFactor 13
Hashed password: $2a$13$iBqdG7ENBABEargiyzGlTexPsmviF/qrFxUZB2zce7HKF6MoBNhEq
correct password True
incorrect password False
You can find an updated implementation of BCrypt for .Net here: http://bcrypt.codeplex.com/
I needed a BCrypt implementation when moving something from PostgreSQL (which has pg_crypto) to SQLite (which doesn't), so I wrote my own. Seeing from this message I'm not the only one needing this, I've decided to slap a license on it and release it. The URL is:
http://zer7.com/software.php?page=cryptsharp
The Blowfish implementation behind it is a port of Bruce Schneier's public domain C implementation, and succeeds on all the official test vectors.
The BCrypt code I wrote myself based on the spec. I also created a PHP script which generates random passwords of length 0 to 100 and salts, crypts them, and outputs them to a test file. The C# code matches these 100% of the time so far. You are welcome to use the script and test this yourself.
The library also includes PBKDF2 code which works for any HMAC as opposed to .Net's SHA-1-only implementation (added today -- I'm intending to do SCrypt in C# soon and that requires PBKDF2 with HMAC-SHA256). You could make yourself a scheme based on this too, if you wanted.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With