Safely store a password:
Why Not (SHA-1, SHA-3, MD5 etc etc)?
These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in a short period of time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbish for storing passwords.
A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.
Modern supercomputer can process around 700,000,000 passwords a second. And that rate you’ll be cracking those passwords at the rate of more than one per second.
It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks.
Bcrypt Solves These Problems:
It uses a variant of the Blowfish encryption algorithm’s keying schedule, and introduces a work factor, which allows you to determine how expensive the hash function will be. Because of this, bcrypt can keep up with Moore’s law. As computers get faster you can increase the work factor and the hash will get slower.
It’s been always a challenge for .NET developers to securely store the passwords in the database.
CryptSharp provides a number of password crypt algorithms like BCrypt, LDAP, MD5 (and Apache’s htpasswd variant), PHPass (WordPress, phpBB, Drupal), SHA256, SHA512, and Traditional and Extended DES. Additionally it includes Blowfish, SCrypt, and PBKDF2 for any HMAC (.NET’s built-in PBKDF2 implementation supports only SHA-1).
If you are looking to store passwords, odds are CryptSharp has the algorithm you want.
To install CryptSharp, run the following command in the package manager console in visual studio.
OR You can download it from It’s official site and add a reference to your project.
Using CryptSharp is very simple. To crypt a password, add the assembly to References and type:
using CryptSharp; // Crypt using the Blowfish crypt ("BCrypt") algorithm. string cryptedPassword = Crypter.Blowfish.Crypt(password);
To test the crypted password with plain text password use following lines of code:
using CryptSharp; // Do the passwords match? // You can also check a password using the Crypt method, but this approach way is easier. bool matches = Crypter.CheckPassword(testPassword, cryptedPassword);
If you choose the BCrypt algorithm, be aware that it only uses the first 72 bytes of a password.
Here is the sample output of CryptSharp from my code:
Source Code Download:
Github [Repository Link]
Box.com [Direct Link to Zip file]