hash - Is BCrypt a good hashing algorithm to use in C#? Where can I find it? -

I have read that many programmers recommend using BCRiput algorithms when a password is being received.

I am programming in C # and wondering if anyone knows a good implementation for BCrypt? I found, but I do not know whether it is fake or not.

What should I know when choosing a password hashing scheme? Is BCrypt a 'good' implementation?

First of all, some words that are important:

- The task of taking a string and creating a sequence of characters that can not be reverted to the original string.

- (usually just referred to as 'encryption') - the task of taking a string and creating a sequence of characters that is used to encrypt the encryption key The string has been decrypted.

- A lookup table that contains all the variations of punched characters in specific hashing algorithms.

- A known random string that is washed before the original string.

For the .NET Framework, the BCRP has not yet implemented the validated context. This is important because there is no way to know if there are serious flaws in an existing implementation or not. You can get the implementation of I do not have enough information about cryptography, to say whether it is a good or bad implementation. Cryptography is a very deep area. Do not try to make your own encryption algorithm . seriously.

If you are going to implement your own password security (sigh), then you need to do a lot of things:

1. Use.
2. Salt
3. Needs a strong password . Unfortunately, even if you do all this, a determined hacker can still possibly find the password, it only really makes him a long one. It will take time, this is your main enemy: time .

   ; (And still longer than AES or SHA-512) It forces hackers to spend too much time creating your rainbow table to see your password, which is being hacked in your password.

   If you have salt and laughing your password, and each salt is different, there is a rainbow table just for a salty + hashed password, this means that if you have 1 million users, then a hacker To generate 1 lakh rainbow tables. If you are using the same salt for each user, then the hacker has to create 1 rainbow table to successfully hover your system.

   If you do not give your password salt, then all an attacker has to do there to pull up an existing rainbow table for each implementation (AES, SHA, 512, MD5) and just If matches a hash, then see. This, an attacker does not need to calculate the rainbow table itself .

   Even with all of this, if they can successfully use any other attack vector (XSS, SQL injection, CSRF) on your site, good password protection does not make any difference. It seems like a controversial statement, but think about it: If I can get all your user information through the attack of SQL injection, or I can give my users my cookies through XSS. Jeff Atwood:

4. Jeff Atwood:

Note: Please recommend other good resources. I have read more than a dozen articles by dozens of authors, but some write clearly on this topic because Jeff will edit the articles as soon as you find them.