Click here to Skip to main content
15,888,803 members
Search within:


How do I implement bcrypt.net in C#
Please Sign up or sign in to vote.
1.00/5 (1 vote)
so I've google a fair amount on trying to implement bcrypt however it seems very few articles exist on implementing bcrypt into c# desktop applications and those that do lack detail I don't usually implement password validation for my programs as it not needed however for my current project it is need and after research ive come to the conclusion that fast hash algorithm such as SHA 256 and SHA 512 are not good way for password hashing as an attack can easier calculate lots of hashes where as bcrypt slows down this process a-lot

I've a password box within the application that i would like to whenever a user enters their password it validates against the stored hashed in the Microsoft SQL server table


so i would like to ask the community for some help on this and where to start

if anyone has any experience in using Bcrypt for password hashing and is willing to help i would greatly appreciate it

What I have tried:

so I've google a fair amount on trying to implement bcrypt however it seems very few articles exist on implementing bcrypt into c# desktop applications
Posted
Updated 23-May-16 2:09am
Add a Solution

3 solutions

I googled "bcrypt c#" and this was the third result

Use BCrypt to Hash Your Passwords: Example for C# and SQL Server[^]
 
Share this answer
 
Posted
Comments
Member 12540035 23-May-16 6:42am    
I've seen his article but I'm stuck on two things 1) how to store the salt and hash for the user and how to retrieve the salt generated for that user 2) how to validate it against a sql server

it also uses a hardcoded salt where as i rather use a random salt for each user
F-ES Sitecore 23-May-16 7:16am    
So your question isn't how to use bcrypt but how to use SQL Server, and how to generate random text, both of which are entirely different questions. Google "random text c#" and you'll find examples on how to randomly generate strings. If you want to interact with SQL Server then use Entity Framework. Again google "c# entity framework tutorial" for lots of examples, or better yet get a book on it as it is a massive subject.
Use SHA: an attack doesn't have to "generate" values, they can just try likely ones ("password" for example), dictionary attacks and / or "every combination possible" - all of which are effectively brute force and ignorance. The speed of generation of the hash value isn't a problem: just make it so that after a small number of attempts in a short period of time on the same account you "block" logins for 24 hours and notify the user via his registered email address.

That is the only practical way to prevent such "brute force" attacks - changing how you hash passwords from SHA512 to bcrypt doesn't measurably improve your security (It probably lowers it, given that bcrypt is a lot older than SHA512!)
 
Share this answer
 
Posted
Comments
F-ES Sitecore 23-May-16 5:38am    
Blocking after a number of attempts only works if people are brute-forcing your application. The real danger is if they manage to get your source data as they can run as many brute force attempts on it as they want. This is why the speed of the hash very much does matter. When you're doing something millions of times to break passwords then the longer the hash algorithm takes the more likely it is that the time needed to break passwords becomes unfeasible.
For BCrypt implemented in C#, please see: BCrypt.Net.

Perhaps your Web search problem was looking for "implementing bcrypt into C# desktop applications". How the concept of "desktop" or anything which is "not desktop" could be related to the topic? The search string could be just "BCrypt C#". Maybe all you need is to embrace separation of concerns. :-)

And for password-based authentication, I would recommend using SHA-2 (or SHA-3). It's the matter of using it correctly. Shooting from the heaps, your argument that SHA algorithms are too fast and hence allow the malicious artist to "calculate a lot of hashes" just doesn't look serious. Let's say, the legitimate user goes through the authentication cycle only once, so a little slower calculation of the hash does not matter. But you can always slow down this cycle on the server part. I don't say that this would make a viable security technique; I just mean that this consideration breaks your speculations on the benefit of other algorithms based on speed. Generally, the whole idea of security of some algorithm based on its slow speed sounds absurd. It has nothing to do with real security features, such as lack of backdoor and cryptographic feasibility of brute-force attack. See also https://en.wikipedia.org/wiki/Hash_function_security_summary[^].

—SA
 
Share this answer
 
Posted
Updated 23-May-16 2:23am
v4
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How do I implement being able to save and load from save in C?
How do I implement a C program that is able to read from multiple files using multithreading and locks
How to implement smooth car movement and turns on a grid in a C game
How do I implement a shell to my OS
How do I implement a collapsing floor function to the game?
How do I implement a C compiler with a editor?
tail -c command linux, implement with c
C code for implementing a feedback loop to modify an initial argument?
How do I call my own implementations of interface members?
How to implement a backcountimg timer in C?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 23 May 2016
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900