C#: Handy BCrypt class for hashing passwords

Torleif — Mon, 02 Mar 2009 10:31:45 +0000

I was working on an application where I needed to store user names and passwords in a database, as we often do. As we all (should) know we never (ever, ever) store passwords in plain text. If we do, we are setting ourselves up for big trouble if the database contents leaks out or someone hacks their way into it. So what should you do?

You should salt the passwords and you should hash them, and hash them good.

Using raw hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t. – Thomas Ptacek

So, I was looking for a good implementation of a good hashing algorithm and found one written by Derek Slager called BCrypt.net. I really like it. It has a very clean interface and is super easy to use. So to make sure I don’t lose it (if he would remove it or I would lose the link or something), I post it here. And if it helps someone else to discover it and to ease their day a little, that would be awesome too

You use it like this:

// Pass a logRounds parameter to GenerateSalt to explicitly specify the
// amount of resources required to check the password. The work factor
// increases exponentially, so each increment is twice as much work. If
// omitted, a default of 10 is used.
string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));

// Check the password.
bool matches = BCrypt.CheckPassword(candidate, hashed);

You find the class here.

Geekality » Hashing

C#: Handy BCrypt class for hashing passwords