none
Recommendation on how to hash passwords RRS feed

  • General discussion

  • Hi,

    I need some pointers on how to approach a current task. Create hashes of passwords that are stored in a database. So after reading up on the subject I see that I should go for either PBKDF2 or BCrypt. And I have some question about these:

    PBKDF:
    The only supported solution is using HMAC SHA1 which does seems kinda old school. I could write my own that accepts SHA512 for example but I would rather find something proven. Does it exist? Second, what is the iteration recommendation in 2016 - 256000? 

    I can see that there is a version 3 of Microsofts "PasswordHasher" (Microsoft.AspNetCore.Cryptography.KeyDerivation) which supports SHA512 and higher iterations. But looking at the implementation is seems that they use BCrypt behind (Win8Pbkdf2Provider). I guess that means this solution isn't "supported" by NIST?

    BCrypt:
    Still not supported by NIST - and we would expect customers in US to require this I guess. However I'm also reluctant to use BCrypt because I need something that is backed by a large company - all I can find are some old implementations that 1 guy updates (if ever). What are the iteration (workfactor) recommendation in 2016 - 12?

    An alternative approach would be to just go with standard Rfc2898DeriveBytes using HMAC SHA1 and then using AES to encrypt the database values - storing the crypto key on disk.

    What do you guys recommend? What do you do when looking into securing enterprise level software?

    /Werner



    Friday, September 2, 2016 12:28 PM

All replies

  • Hi Werner Clausen,

    Thank you for posting here.

    Could you tell us what type of the project? Native code or managed code. Could you tell us what you encounter problems.

    Could you please provide more information for us?

     

    Common Language Runtime Internals and Architecture forum discuss and ask questions about issues regarding the very core of .NET, including security, performance, hosting, base classes, interop, reliability, debugging, GC, and profiling.

     

    I don’t think this is related to common language runtime forum. I will move the forum to off-topic forum.

    Best Regards,

    Hart


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. Click HERE to participate the survey.

    Monday, September 5, 2016 3:23 AM
  • Hi Werner Clausen,

    Thank you for posting here.

    Could you tell us what type of the project? Native code or managed code. Could you tell us what you encounter problems.

    Could you please provide more information for us?

     

    Common Language Runtime Internals and Architecture forum discuss and ask questions about issues regarding the very core of .NET, including security, performance, hosting, base classes, interop, reliability, debugging, GC, and profiling.

     

    I don’t think this is related to common language runtime forum. I will move the forum to off-topic forum.

    Best Regards,

    Hart


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. Click HERE to participate the survey.

    Hart - well not sure how to answer, since I do mention several managed code classes...but yes this is C# managed code. This is going to be some has classes for a login service where (unfortunately) the passwords needs to be stored in SQL server database.

    It would be fail to move this to off topic forum. It might be the wrong forum, but I search for "password hashing" and one of the forums where people got the best answers, was this one.

    I might try stackoverflow then...


    Monday, September 5, 2016 7:11 AM
  • Hi Werner Clausen,

    Thank you for feedback.

    I also try to search the right forum before my first reply. But I cannot find right forum for you.

    So I want to know what type of your project. According to your project type to find Appropriate forum.

    If you use C# API. I would suggest you post your issue on C# forum and provide more details about

    the error . we also can help you move, If you allow.

    As a support, If we can help customer, we must try our best to provide a solution.

    I hope you can understand us.

    Best Regards,

    Hart


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. Click HERE to participate the survey.

    Monday, September 5, 2016 7:34 AM
  • Hi Werner Clausen,

    Thank you for feedback.

    I also try to search the right forum before my first reply. But I cannot find right forum for you.

    So I want to know what type of your project. According to your project type to find Appropriate forum.

    If you use C# API. I would suggest you post your issue on C# forum and provide more details about

    the error . we also can help you move, If you allow.

    As a support, If we can help customer, we must try our best to provide a solution.

    I hope you can understand us.

    Best Regards,

    Hart


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. Click HERE to participate the survey.

    I understand - and appreciate - that you are trying to help. But C# forum is more about the language, syntax, best practices etc (and then everything that doesn't fit anywhere else). My question is about password hashing - security and architecture. If it doesn't fit in this group (which is clearly doesn't as noone reflected) I don't know where to put it...C# forum would probably not attract the expertise I'm after...

    Thanks.

    Monday, September 5, 2016 7:57 AM
  • Hi,

    I think we should change case’s form into a discussion thread post.

    we need to attract expertise to discuss it.

    Best Regards,

    Hart


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. Click HERE to participate the survey.

    Tuesday, September 6, 2016 6:25 AM
  • <bcrypt.h> defines BCRYPT_PBKDF2_ALGORITHM for Windows 8 and later. It would be used in the NCryptKeyDerivation or BCryptKeyDerivation function, together with the KDF_HASH_ALGORITHM parameter, which I hope supports things other than SHA-1. I don't know how to set up the hKey parameter for these functions.

    NIST has http://csrc.nist.gov/groups/ST/toolkit/kdf.html which links to "Special Publication 800-108. Recommendation for Key Derivation Using Pseudorandom Functions." That however does not attempt to slow down brute-force attacks; it runs only just enough iterations to get the required number of bits.

    The .NET Framework Class Libraries forum might be appropriate, except it already seems clear that the class libraries support neither PBKDF2 with SHA-2 nor BCrypt, so perhaps the Application Security for Windows Desktop forum is a better choice.

    Tuesday, September 6, 2016 4:53 PM