|
I've been tasked with bringing a web application up to spec, security wise. Starting point is a plintext "password" column, and ASP.NET website code. (They have to improve securty to be in line with GDPR rules, and I get the impression that's the only reason anyone cares.) Ended up here after some preliminary googling (also various questions/answers on Security StackExchange, but those tend to be 7-8 years old, which seems like it's bad in this area): https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html I have no idea whather this is up to date or accurate, with argon2 being described as the new hotness in 2015. Been looking at PBKDF2, since it thas a native .NET implementation, but being stuck on .NET 4.0 leaves me with no hash algorithm beyond SHA1, which I get the imression is a bad idea to use. What's the preferred algorithm these days (Preferrably something that's fairly easy to integrate with a .NET environment)? Also, should I yell at someone that we need to upgrade from .NET 4.0?
|
# ¿ Feb 11, 2020 18:46 |
|
|
# ¿ Apr 26, 2024 00:27 |
|
Thanks for the advice. I've added the BCrypt.Net library form here: https://github.com/BcryptNet/bcrypt.net, and it seems to be working well so far. The project's not quite a time bomb yet - it's a former internal tool that's being opened for outside access, with a new/separate user database, so old data shouldn't be a concern. On the other hand, they've already started public testing before I had time to actually implement this.
|
# ¿ Feb 12, 2020 19:04 |
|
To an extent - at some point I have to trust somebody's imnplementation of the protocol unless I want to try and implement it myself (which seems like a really bad idea). Ultimately I'm using it because that's the first Google result for "BCrypt for .NET". If there's another implementation I should rather be using, I'd like to know which one. The github page does say it's a port of https://bcrypt.codeplex.com, but considering that site immediately throws up a browser warning I'm hesitant to go any further with that one.
|
# ¿ Feb 12, 2020 22:58 |
|
I knew i saved this gif for a reason:
|
# ¿ Sep 1, 2020 20:25 |