Thursday, 14 March 2024

How to Use BCrypt.NET For Password Hashing

 To use the BCrypt hashing function for the .NET framework we must include the BCrypt.Net-Next package in our project:

dotnet add package BCrypt.Net-Next

Once we add the package, we can generate a hash from a clear-text password using the HashPassword() static method in the BCrypt class:

var passwordHash = BCrypt.HashPassword("Password123!");

Moreover, verifying a hash is equally simple using the Verify() static method in the same class:

var result = BCrypt.Verify("Password123!", passwordHash);
Assert.True(result);

Increasing Computational Cost

We can create hashes more resilient to brute force by making the hash calculation purposedly slow so the many attempts attackers must perform to break a hash take as long as possible.

As computers become faster, a password-hashing function that used to be slow a few years ago, today may take very little time to compute.

BCrypt can adapt to the increase of available computational power by iterating over the input data several times. The more iterations the slower the calculation will be. We can control this with the workFactor parameter of the HashPassword() method:

var passwordHash = BCrypt.HashPassword("Password123!", workFactor: 13);

Here, we instruct BCrypt to apply the hashing function 2^13 times to the input string for a total of 8,192 iterations. In case we do not specify a work factor BCrypt uses a default value of 11.

Analyzing a BCrypt Hash

Whenever we use the HashPassword() method or one of its variants, BCrypt will generate a random salt and include it in the returned hash along with other data needed for the verification process.

This is what a BCrypt hash looks like. Essentially, it is a set of three values separated by a $ character:

$2a$13$gdtRuVYzDLFBUGnN1WxK/.1OFFoD7CbDZjRYGknrOwT9rus5AsqTu


2a stands for the BCrypt algorithm version used to generate the hash.

13 is the work factor.

gdtRuVYzDLFBUGnN1WxK/.1OFFoD7CbDZjRYGknrOwT9rus5AsqTu contains both the salt and the hashed input password concatenated and Base64 encoded. Both values have fixed lengths so they are easy to tell apart.

BCrypt.NET Enhanced Entropy Mode

Despite BCrypt being a fairly secure hashing function, the default BCrypt implementation truncates the input password to 72 bytes. This, potentially, reduces the brute-force attempts needed to break a hash.

To overcome this limitation, BCrypt.NET offers an enhanced entropy mode that pre-hashes the input password using SHA384. In this way, the input password turns into a fixed-length string that reflects all the variability of the original password regardless of its length.

Let’s use the enhanced entropy mode with EnhancedHashPassword() and EnhancedVerify() static methods instead of the basic HashPassword() and Verify():

var passwordHash = BCrypt.EnhancedHashPassword("Password123!");
var result = BCrypt.EnhancedVerify("Password123!", passwordHash);
Assert.True(result);

As mentioned, BCrypt uses SHA384 by default for the pre-hash step. However, there may be situations where we need to specify a different algorithm:

var passwordHash = BCrypt.EnhancedHashPassword("Password123!", HashType.SHA512);
var result = BCrypt.EnhancedVerify("Password123!", passwordHash, HashType.SHA512);


Source : https://code-maze.com/dotnet-secure-passwords-bcrypt/

No comments:

Post a Comment