Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Which of the .NET included hashing algorithms are suitable for password hashing?

Tags:

c#

.net

security

hash

The password leak of LinkedIn proved how important it is to securely hash your passwords. However, even hashing passwords with a salt is not secure with the 'normal' hashing algorithms (such as MD5 and the SHA family), since they are optimized for speed, which allows hackers compute 2300 million hashes per second (brute force).

There are hashing algoritms that are safer to use because they are much more computational intensive, such as PBKDF2, Bcrypt, PBMAC, and scrypt. These hashing algorithms however, don't seem to be included in the .NET framework.

So, which performance intensive hashing algorithms are included in the .NET framework?

ANSWER: PBKDF2 is included in the framework and this site shows how to use it properly.

like image 739
Steven Avatar asked Jun 08 '12 12:06

Steven

People also ask

Which algorithm is best for hashing passwords?

To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.

Which hashing algorithm is used for storing password hash in Windows?

The NT hash is simply a hash. The password is hashed by using the MD4 algorithm and stored. The NT OWF is used for authentication by domain members in both Windows NT 4.0 and earlier domains and in Active Directory domains.

Is SHA256 good for password hashing?

Both SHA256 and SHA512 are approved NIST hash algorithms. "to defend against dictionary attacks, a password hashing scheme must include a work factor to make it as slow as is workable."

Which is better SHA256 or SHA512?

The primary difference between SHA-256 and SHA-512 is the word size; SHA-256 uses 32-byte words where asSHA-512 uses 64-byte words.

1 Answers

I think it's not really a meaningful Class name, but I do think it is included in the .NET framework. According to multiple sources, Rfc2898DeriveBytes is actually a PBKDF2 implementation. MSDN says so as well.

See Why do I need to use the Rfc2898DeriveBytes class (in .NET) instead of directly using the password as a key or IV? and PBKDF2 implementation in C# with Rfc2898DeriveBytes

for example.

like image 116
pyrocumulus Avatar answered Oct 02 '22 20:10

pyrocumulus
Sign in to Comment

Related questions

Is there any reason NOT to use standard resx+static binding for localizing WPF?
How to write in a registry key own by TrustedInstaller
Examples of functional or dynamic techniques that can substitute for object oriented Design Patterns
Writing a Text File in memory and saving it with savefiledialog
Convert character entities to their unicode equivalents
How is WPF's DependencyObject implemented? [closed]
Returning an image from an action results in an error in FireBug/Chrome Dev. Tools
Why volatile and MemoryBarrier do not prevent operations reordering?
VB.NET linq group by with anonymous types not working as expected
Vim [m motion with c#
Select a random item from a weighted list
High-speed string matching in C#
Multiple developers using single web.config with different settings
To see all command line on output window while compiling
Adding custom attributes to C# classes using Roslyn
Visual C# Form right click button
Strange Queue<T>.Enqueue(T item) code
Determine metro app is running in Windows 8 tab or Desktop PC
Programmatically assign access control list (ACL) permission to 'this folder, subfolders and files'
How to write a good curiously recurring template pattern (CRTP) in C#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!