I was working on an application where I needed to store user names and passwords in a database, as we often do. As we all (should) know we never (ever, ever) store passwords in plain text. If we do, we are setting ourselves up for big trouble if the database contents leaks out or someone hacks their way into it. So what should you do?
You should salt the passwords and you should hash them, and hash them good.
Using raw hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t. – Thomas Ptacek
So, I was looking for a good implementation of a good hashing algorithm and found one written by Derek Slager called BCrypt.net. I really liked it. It has a very clean interface and is very easy to use. So, to make sure I don’t lose it, if he removes it, or anything, I post it here. And if it helps someone else to discover it and to ease their day a little, that is awesome too.
You use it like this:
// amount of resources required to check the password. The work factor
// increases exponentially, so each increment is twice as much work. If
// omitted, a default of 10 is used.
string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));
// Check the password.
bool matches = BCrypt.CheckPassword(candidate, hashed);
You find the class here.
Greetings! I am Torleif Berger, 24 years old, a Seventh-Day Adventist and currently working as a software developer. Otherwise, not much to tell. Although I do juggle a bit...
One Comment
Hi!
I use same as you. The problem is I have to use it in two difference places. One for Admin and one for user if user would like to change his password.
I use same method but the generated hashcode differs from each other in this two application.
What can the problem be?
Regards
Sheri