A strong password storage strategy is critical to mitigating data breaches that put the reputation of any organization in danger. Hashing is the foundation of secure password storage.
This component auto upgrade your AspNet Identity v2 or v3 password hash to one of these in this package. It does it after a user successfull login
ASP.NET Core Identity uses PBKDF2. With HMAC-SHA256. A 128-bit salt. 256-bit subkey and 10.000 iterations. It's FIPS compliant and recommended by NIST. Whilst it's considered good enough, isn't the best choice against newer atack. Such as GPU based.
Wanna know more why Hash password? Read here or here.
The latest stable release of the NetDevPack.Security.PasswordHasher is available at NuGet.
Versions:
There are specific configuration for each one of algorithms.
Argon2 is the winner of the password hashing competition and should be considered as your first choice for new applications.
Argon2 is cryptographic hashing algorithm, most recommended for password hashing. It is designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.
This implementation uses libsodium library and it's implementation of Argon2id. Which is considere best option for Password hashing.
services.AddDefaultIdentity<IdentityUser>();
services.UpgradePasswordSecurity().UseArgon2<IdentityUser>();
For options (Default is Sensitive, the stronger)
services.UpgradePasswordSecurity()
.WithStrenghten(PasswordHasherStrenght.Interactive)
.UseArgon2<IdentityUser>();
Or more advanced options:
services.UpgradePasswordSecurity()
.WithMemLimit(33554432)
.WithOpsLimit(4L)
.UseArgon2<IdentityUser>();
bcryps was designed by reusing and expanding elements of a block cipher called Blowfish. The iteration count is a power of two, which is a tad less configurable than PBKDF2, but sufficiently so nevertheless. This is the core password hashing mechanism in the OpenBSD operating system.
This implementation uses libsodium library and it's implementation of Argon2id. Which is considere best option for Password hashing.
services.AddDefaultIdentity<IdentityUser>();
services.UpgradePasswordSecurity().UseBcrypt<IdentityUser>();
For options
services.UpgradePasswordSecurity()
.ChangeSaltRevision(BcryptSaltRevision.Revision2B) // default: BcryptSaltRevision.Revision2B
.ChangeWorkFactor(15) // default: 10
.UseBcrypt<IdentityUser>();
scrypt is a much newer construction (designed in 2009) which builds over PBKDF2 and a stream cipher called Salsa20/8, but these are just tools around the core strength of scrypt, which is RAM. scrypt has been designed to inherently use a lot of RAM (it generates some pseudo-random bytes, then repeatedly read them in a pseudo-random sequence). "Lots of RAM" is something which is hard to make parallel. A basic PC is good at RAM access, and will not try to read dozens of unrelated RAM bytes simultaneously. An attacker with a GPU or a FPGA will want to do that, and will find it difficult.
services.AddDefaultIdentity<IdentityUser>();
services.UpgradePasswordSecurity().UseScrypt<IdentityUser>();
For options (Default is Sensitive, the stronger)
services.UpgradePasswordSecurity()
.WithStrenghten(PasswordHasherStrenght.Interactive)
.UseScrypt<IdentityUser>();
Or more advanced options:
services.UpgradePasswordSecurity()
.WithMemLimit(33554432)
.WithOpsLimit(4L)
.UseScrypt<IdentityUser>();
The package had a typo in the word "Strenght"; the correct spelling is "Strength". Fixing this bug may have affected some projects. Therefore, if after updating, you see that the method WithStrengthen or others are not found, change them to the ones with "th" instead of "ht".
Wanna see Argon2, Scrypt or BCrypt in action?
NetDevPack.Security.PasswordHasher is Open Source software and is released under the MIT license. This license allow the use of NetDevPack.Security.PasswordHasher in free and commercial applications and libraries without restrictions.