C
C#•2mo ago
Akama Aka

No secure hashing method?

Hello, I got an assignment from school to save plain text passwords as a encrypted password in C#. I have looked at the following pages: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing?view=aspnetcore-8.0 https://andrewlock.net/exploring-the-asp-net-core-identity-passwordhasher/ And I'm rn so fuqing impressed what a piece of shiq language C# is. Is there fr no by default implemented method to securely hash Passwords?
Hash passwords in ASP.NET Core
Learn how to hash passwords using the ASP.NET Core Data Protection APIs.
Andrew Lock | .NET Escapades
Exploring the ASP.NET Core Identity PasswordHasher
In this post I take a look at the PasswordHasher<> implementation from the ASP.NET Core Identity framework, and how it supports multiple hashing algorithms.
31 Replies
Angius
Angius•2mo ago
First of all, you don't ever encrypt passwords You hash them Second, there are plenty of packages out there for Argon2 or BCrypt Third, SHA hashing methods are there and built in, something like SHA256 will be more than enough for a school project
Akama Aka
Akama Aka•2mo ago
SHA isnt really secure for me and Argon2ID is for me my default I use Do you have an article for Argon2Id?
Angius
Angius•2mo ago
Isopoh.Cryptography.Argon2 2.0.0
Argon2 Password Hasher written in C#. Uses Isopoh.Cryptography.Blake2 for hashing and Isopoh.Cryptography.SecureArray to protect sensitive data.
LPeter1997
LPeter1997•2mo ago
And I'm rn so fuqing impressed what a piece of shiq language C# is.
Ah yes, amateur bashing the language for not having something in a library and is not able to locate it by themselves so obviously not their lack of knowledge
SleepWellPupper
SleepWellPupper•2mo ago
For a feature (Argon 2id) that afaik no language or standard library even provides. Bit silly that. Personally I use https://www.nuget.org/packages/Konscious.Security.Cryptography.Argon2/
Konscious.Security.Cryptography.Argon2 1.3.1
An implementation of Argon2 winner of PHC https://password-hashing.net/#argon2 Usage follows standard types found in System.Security.Cryptography in corefx. Specifically DeriveBytes. C# Implementation of the Argon2 1.3 spec with variants for Argon2i, Argon2d, and Argon2id
Akama Aka
Akama Aka•2mo ago
Not really. Normally something like that should be implemented by default and not has to be installed by a third party developer I mean yes SHA is okay too but still not enough for critical things As far I know NodeJS I can only talk about nodejs has that by default. And many other algorythms
Angius
Angius•2mo ago
First time I hear of Node having built-in Argon2 Got a link to the docs?
Akama Aka
Akama Aka•2mo ago
https://stackoverflow.com/questions/14168703/crypto-algorithm-list But I see that the normal "depricated" crypto has that. But php has that. Thats what I know to 100% :laugh: idk why nodejs is that weird. Say that the crypto package is now a build in feature and shouldnt be used anymore but is missing a lot of features ig
Jimmacle
Jimmacle•5w ago
security practices change often enough that i wouldn't want that tied to the .NET version anyway
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Akama Aka
Akama Aka•5w ago
Yes I got a bit confused. I just had a pic in my mind where I used it. But I directly fixed it up with php after I realised
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Akama Aka
Akama Aka•5w ago
It should be as little as possible to minimize potential security risks.
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Akama Aka
Akama Aka•5w ago
I never did that? :what:
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Akama Aka
Akama Aka•5w ago
I just talked about that using third party packages can be security risk too. Ref: python pip and php Wordpress
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Jimmacle
Jimmacle•5w ago
there's really no need to drag this thread out, OP got the answers they needed
Akama Aka
Akama Aka•5w ago
Yes I was also interested in it and looked at it :0275cat_dead:
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Akama Aka
Akama Aka•5w ago
Ik and I agree to it. I've just seen this Docs about their hashing and it was so "Yes you can do it like that but we don't recommend it because it's not secure" and I was so. Bro yes for basic and learning understanding okay fine but why you guys doesn't go directly the secure way and teach it to people how it's done correctly. It's just making for me, why Companies that developes a programming language show people just the insecure ways and mostly not even showing the secure ways how it's made professionally. in this case they mentioned it but why not directly show how to hash and salt a password properly
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Jimmacle
Jimmacle•5w ago
probably because that's not something many people implement themselves anymore and if they do need it, they know enough to find the secure/correct answer
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Akama Aka
Akama Aka•5w ago
Okay :NOTED:
Unknown User
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Akama Aka
Akama Aka•5w ago
I just remember those days I coded a whole website in php and at the end I've made a security check and got 99+ Security Vulns just because it was guided the insecure way instead of the secure way just because it's a bit more complex or a bit more lines. And that made me so down. I'm still not done with it after 2-3 years because I lose the motivation every time. Okay thanks
Jimmacle
Jimmacle•5w ago
first mistake was using php :when: security isn't generally the kind of thing you can be hand held through, you need to have a good idea of what you're doing to do it right
Akama Aka
Akama Aka•5w ago
Ik :D_zero_laugh: and even more without a framework just because I never wanted to learn those complicated file structures and things x3 Yes
GrabYourPitchforks
GrabYourPitchforks•5w ago
I am the security engineering lead of the .NET product, and it was my recommendation to put the "this is a low-level primitive and we don't think people should be doing this in practice" disclaimer on the PBKDF2 documentation. ^^ And this is the exact reason this recommendation / decision was made. We can provide the primitives, and we can show how to pass arguments to them, but it is not the framework's job to teach people when it is appropriate to use them, how to safely choose arguments to pass into them, how to use them in a crypto-agile fashion, etc. That education comes from your security team or your college instructors. The PasswordHasher<T> type encapsulates the logic of choosing safe defaults and is crypto-agile. It's a higher-level construct that just handles all of these concerns automatically for you. That's why it's what we push people toward. But if you want to use the primitive directly, it's there for your use. 100% safe and supported, assuming you know what you're doing. Have fun. 🙂
Want results from more Discord servers?
Add your server