Derek Slager

• Wednesday, October 03, 2007

  BCrypt.net - Strong Password Hashing for .NET and Mono

  Using raw hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t.
  Thomas Ptacek

  BCrypt.net is an implementation of OpenBSD's Blowfish-based password hashing code, described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. It is a direct port of jBCrypt by Damien Miller, and is thus released under the same BSD-style license. The code is fully managed and should work with any little-endian CLI implementation -- it has been tested with Microsoft .NET and Mono.

  Why BCrypt?

  Most popular password storage schemes are based on fast hashing algorithms such as MD5 and SHA-1. BCrypt is a computationally expensive adaptive hashing scheme which utilizes the Blowfish block cipher. It is ideally suited for password storage, as its slow initialization time severely limits the effectiveness of brute force password cracking attempts. How much overhead it adds is configurable (that's the adaptive part), so the computational resources required to test a password candidate can grow along with advancements in hardware capabilities.

  Usage

  Using BCrypt in your code is very simple:

  // Pass a logRounds parameter to GenerateSalt to explicitly specify the
  // amount of resources required to check the password. The work factor
  // increases exponentially, so each increment is twice as much work. If
  // omitted, a default of 10 is used.
  string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));
  
  // Check the password.
  bool matches = BCrypt.CheckPassword(candidate, hashed);

  The source code is available via the links below. You can download the packaged version, which includes an NUnit-based test suite, or download the source directly via BCrypt.cs.

  Attachments

  • bcrypt.net-0.1.zip
  • BCrypt.cs
  4 CommentsPosted at 3:07 AM to Categories: .NET Security
  

Comments

1. Sunday, October 07, 2007 9:49:58 AM by Adi
   Trackback from http://dotmad.blogspot.com/2007/10/now-add-some-pepper-to-your-password.html
2. Thursday, November 29, 2007 5:30:34 PM by Paul Houle
   Thanks a million!
3. Tuesday, January 27, 2009 8:14:58 AM by Svish
   Why do GenerateSalt(30) take for ever, but GenerateSalt(31) seems to take no time at all?
4. Tuesday, March 17, 2009 5:11:18 PM by Sire
   Note that the salt is actually included in the hash, so there is no need to store the salt separately.

Add Comment Name
URL Comment

About

I'm a programmer at Appature, a Seattle-area startup building marketing-focused CRM tools.

Email Me

Recent

• DVCS Myths
• A DVCS Story
• BCrypt.net - Strong Password Hashing for .NET and Mono
• A Better .NET Regular Expression Tester
• Emulating Vista's User Directory Structure on XP
• Screencast: Formatting a CSS File with Emacs
• Emacs Hack #3: Compile Emacs from CVS on Windows
• Emacs Hack #2: Manage Emacs Instances with gnuserv
• Emacs Hack #1: Install Emacs on Windows
• The Case for Emacs

Categories

• .NET
• Baseball
• C#
• DVCS
• Emacs
• LINQ
• Security
• Windows