Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass
 
  • Post
  • Reply
Nostalgamus
Sep 28, 2010

 I've been tasked with bringing a web application up to spec, security wise. Starting point is a plintext "password" column, and ASP.NET website code. (They have to improve securty to be in line with GDPR rules, and I get the impression that's the only reason anyone cares.)

Ended up here after some preliminary googling (also various questions/answers on Security StackExchange, but those tend to be 7-8 years old, which seems like it's bad in this area):
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
I have no idea whather this is up to date or accurate, with argon2 being described as the new hotness in 2015.

Been looking at PBKDF2, since it thas a native .NET implementation, but being stuck on .NET 4.0 leaves me with no hash algorithm beyond SHA1, which I get the imression is a bad idea to use.

What's the preferred algorithm these days (Preferrably something that's fairly easy to integrate with a .NET environment)?

Also, should I yell at someone that we need to upgrade from .NET 4.0?

* # ¿ Feb 11, 2020 18:46
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 26, 2024 00:27
  • Quote
Nostalgamus
Sep 28, 2010

 Thanks for the advice. I've added the BCrypt.Net library form here: https://github.com/BcryptNet/bcrypt.net, and it seems to be working well so far.

The project's not quite a time bomb yet - it's a former internal tool that's being opened for outside access, with a new/separate user database, so old data shouldn't be a concern. On the other hand, they've already started public testing before I had time to actually implement this.

* # ¿ Feb 12, 2020 19:04
  • Quote
Nostalgamus
Sep 28, 2010

 To an extent - at some point I have to trust somebody's imnplementation of the protocol unless I want to try and implement it myself (which seems like a really bad idea).

Ultimately I'm using it because that's the first Google result for "BCrypt for .NET". If there's another implementation I should rather be using, I'd like to know which one. The github page does say it's a port of https://bcrypt.codeplex.com, but considering that site immediately throws up a browser warning I'm hesitant to go any further with that one.

* # ¿ Feb 12, 2020 22:58
  • Quote
Nostalgamus
Sep 28, 2010

 I knew i saved this gif for a reason:

Only registered members can see post attachments!

* # ¿ Sep 1, 2020 20:25
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass