A nice class for hashing

Torleif — Mon, 02 Mar 2009 09:31:45 +0000

I was working on an application where I needed to store user names and passwords in a database, as we often do. As we all (should) know we never (ever, ever) store passwords in plain text. If we do, we are setting ourselves up for big trouble if the database contents leaks out or someone hacks their way into it. So what should you do?

You should salt the passwords and you should hash them, and hash them good.

Using raw hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t. – Thomas Ptacek

So, I was looking for a good implementation of a good hashing algorithm and found one written by Derek Slager called BCrypt.net. I really liked it. It has a very clean interface and is very easy to use. So, to make sure I don’t lose it, if he removes it, or anything, I post it here. And if it helps someone else to discover it and to ease their day a little, that is awesome too.

You use it like this:

// Pass a logRounds parameter to GenerateSalt to explicitly specify the
// amount of resources required to check the password. The work factor
// increases exponentially, so each increment is twice as much work. If
// omitted, a default of 10 is used.
string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));

// Check the password.
bool matches = BCrypt.CheckPassword(candidate, hashed);

You find the class here.

Geekality » Hashing

A nice class for hashing