Storing Passwords Securely

I did not realize that simply hashing a password with some salt is not good enough anymore. The problem is that SHA and MD5 are too fast! On modern machines a hacker can do a brute force attack on a single password in a few seconds. Instead, folks are recommending bcrypt because it is designed to be slow. Someone kindly wrote a .NET implementation of bcrypt here.

[edit] I was just told that .NET already has an implementation of this scheme in Rfc2898DeriveBytes. The RFC explains the PBKDF2 algorithm, which iterates the hash function 1000 times. Bcrypt uses the Blowfish encryption algorithm, which internally does a lot of iterations. The important point is that both are slow.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s