Password hashing uses an unverified algorithm #6
Comments
|
If AppHarbor is very serious about this package it should either switch to PBKDF2 (what I recommend) otherwise it should proactively assume the burden and costs to have the BCrypt implementation verified such that AppHarbor.Web.Security can be viewed as truly secure for it's dependence on BCrypt. |
|
I want to point out that only the example project has a dependency on BCrypt. The base AppHarbor.Web.Security library itself does not. |
|
If merely the sample uses BCrypt, I would strongly advocate switching to PBKDF2 in the sample. This will prevent users from following the sample and unknowingly open themselves up to liability for not using a verified algorithm (especially government software development) |
|
@dotnetchris you can always submit a pull request to show how PBKDF2 would be used. |
PBKDF2 is the only verified implementation in .NET
http://stackoverflow.com/questions/481160/is-bcrypt-a-good-encryption-algorithm-to-use-in-c-where-can-i-find-it/6228051#6228051
The text was updated successfully, but these errors were encountered: