No secure hashing method?
Hello,
I got an assignment from school to save plain text passwords as a encrypted password in C#.
I have looked at the following pages:
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing?view=aspnetcore-8.0
https://andrewlock.net/exploring-the-asp-net-core-identity-passwordhasher/
And I'm rn so fuqing impressed what a piece of shiq language C# is. Is there fr no by default implemented method to securely hash Passwords?
Hash passwords in ASP.NET Core
Learn how to hash passwords using the ASP.NET Core Data Protection APIs.
Andrew Lock | .NET Escapades
Exploring the ASP.NET Core Identity PasswordHasher
In this post I take a look at the PasswordHasher<> implementation from the ASP.NET Core Identity framework, and how it supports multiple hashing algorithms.
31 Replies
First of all, you don't ever encrypt passwords
You hash them
Second, there are plenty of packages out there for Argon2 or BCrypt
Third,
SHA
hashing methods are there and built in, something like SHA256
will be more than enough for a school projectSHA isnt really secure for me and Argon2ID is for me my default I use
Do you have an article for Argon2Id?
Isopoh.Cryptography.Argon2 2.0.0
Argon2 Password Hasher written in C#. Uses
Isopoh.Cryptography.Blake2 for hashing and
Isopoh.Cryptography.SecureArray to protect sensitive data.
And I'm rn so fuqing impressed what a piece of shiq language C# is.Ah yes, amateur bashing the language for not having something in a library and is not able to locate it by themselves so obviously not their lack of knowledge
For a feature (Argon 2id) that afaik no language or standard library even provides. Bit silly that.
Personally I use https://www.nuget.org/packages/Konscious.Security.Cryptography.Argon2/
Konscious.Security.Cryptography.Argon2 1.3.1
An implementation of Argon2 winner of PHC
https://password-hashing.net/#argon2
Usage follows standard types found in System.Security.Cryptography in corefx. Specifically DeriveBytes.
C# Implementation of the Argon2 1.3 spec with variants for Argon2i, Argon2d, and Argon2id
Not really. Normally something like that should be implemented by default and not has to be installed by a third party developer
I mean yes SHA is okay too but still not enough for critical things
As far I know NodeJS I can only talk about nodejs has that by default. And many other algorythms
First time I hear of Node having built-in Argon2
Got a link to the docs?
https://stackoverflow.com/questions/14168703/crypto-algorithm-list
But I see that the normal "depricated" crypto has that. But php has that. Thats what I know to 100% :laugh:
idk why nodejs is that weird. Say that the crypto package is now a build in feature and shouldnt be used anymore but is missing a lot of features ig
security practices change often enough that i wouldn't want that tied to the .NET version anyway
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Yes I got a bit confused. I just had a pic in my mind where I used it. But I directly fixed it up with php after I realised
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
It should be as little as possible to minimize potential security risks.
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
I never did that? :what:
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
I just talked about that using third party packages can be security risk too. Ref: python pip and php Wordpress
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
there's really no need to drag this thread out, OP got the answers they needed
Yes I was also interested in it and looked at it :0275cat_dead:
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Ik and I agree to it.
I've just seen this Docs about their hashing and it was so "Yes you can do it like that but we don't recommend it because it's not secure" and I was so. Bro yes for basic and learning understanding okay fine but why you guys doesn't go directly the secure way and teach it to people how it's done correctly.
It's just making for me, why Companies that developes a programming language show people just the insecure ways and mostly not even showing the secure ways how it's made professionally. in this case they mentioned it but why not directly show how to hash and salt a password properly
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
probably because that's not something many people implement themselves anymore
and if they do need it, they know enough to find the secure/correct answer
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
Okay :NOTED:
Unknown User•5w ago
Message Not Public
Sign In & Join Server To View
I just remember those days I coded a whole website in php and at the end I've made a security check and got 99+ Security Vulns just because it was guided the insecure way instead of the secure way just because it's a bit more complex or a bit more lines. And that made me so down. I'm still not done with it after 2-3 years because I lose the motivation every time.
Okay thanks
first mistake was using php :when:
security isn't generally the kind of thing you can be hand held through, you need to have a good idea of what you're doing to do it right
Ik :D_zero_laugh: and even more without a framework just because I never wanted to learn those complicated file structures and things x3
Yes
I am the security engineering lead of the .NET product, and it was my recommendation to put the "this is a low-level primitive and we don't think people should be doing this in practice" disclaimer on the PBKDF2 documentation.
^^ And this is the exact reason this recommendation / decision was made.
We can provide the primitives, and we can show how to pass arguments to them, but it is not the framework's job to teach people when it is appropriate to use them, how to safely choose arguments to pass into them, how to use them in a crypto-agile fashion, etc. That education comes from your security team or your college instructors.
The
PasswordHasher<T>
type encapsulates the logic of choosing safe defaults and is crypto-agile. It's a higher-level construct that just handles all of these concerns automatically for you. That's why it's what we push people toward.
But if you want to use the primitive directly, it's there for your use. 100% safe and supported, assuming you know what you're doing. Have fun. 🙂