JpProject.AspNetCore.PasswordHasher.Scrypt
1.0.2
See the version list below for details.
dotnet add package JpProject.AspNetCore.PasswordHasher.Scrypt --version 1.0.2
NuGet\Install-Package JpProject.AspNetCore.PasswordHasher.Scrypt -Version 1.0.2
<PackageReference Include="JpProject.AspNetCore.PasswordHasher.Scrypt" Version="1.0.2" />
paket add JpProject.AspNetCore.PasswordHasher.Scrypt --version 1.0.2
#r "nuget: JpProject.AspNetCore.PasswordHasher.Scrypt, 1.0.2"
// Install JpProject.AspNetCore.PasswordHasher.Scrypt as a Cake Addin
#addin nuget:?package=JpProject.AspNetCore.PasswordHasher.Scrypt&version=1.0.2
// Install JpProject.AspNetCore.PasswordHasher.Scrypt as a Cake Tool
#tool nuget:?package=JpProject.AspNetCore.PasswordHasher.Scrypt&version=1.0.2
Improved PasswordHasher
Custom PasswordHasher for ASP.NET Core Identity. There are 3 options: Argon2id, Scrypt and Bcrypt.
A strong password storage strategy is critical to mitigating data breaches that put the reputation of any organization in danger. Hashing is the foundation of secure password storage.
Table of Contents
Why?
ASP.NET Core Identity uses PBKDF2. With HMAC-SHA256. A 128-bit salt. 256-bit subkey and 10.000 iterations. It's FIPS compliant and recommended by NIST. Whilst it's considered good enough, isn't the best choice against newer atack. Such as GPU based.
Wanna know more why Hash password? Read here or here.
Download
The latest stable release of the JPProject PasswordHasher is available on NuGet or can be downloaded from GitHub.
Configure
There are specific configuration for each one of algorithms.
Argon2
Argon2 is the winner of the password hashing competition and should be considered as your first choice for new applications.
Argon2 is cryptographic hashing algorithm, most recommended for password hashing. It is designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.
This implementation uses libsodium library and it's implementation of Argon2id. Which is considere best option for Password hashing.
services.AddDefaultIdentity<IdentityUser>();
services.UpgradePasswordSecurity().UseArgon2<IdentityUser>();
For options (Default is Sensitive, the stronger)
services.UpgradePasswordSecurity()
.WithStrenghten(PasswordHasherStrenght.Interactive)
.UseArgon2<IdentityUser>();
Or more advanced options:
services.UpgradePasswordSecurity()
.WithMemLimit(33554432)
.WithOpsLimit(4L)
.UseArgon2<IdentityUser>();
BCrypt
bcryps was designed by reusing and expanding elements of a block cipher called Blowfish. The iteration count is a power of two, which is a tad less configurable than PBKDF2, but sufficiently so nevertheless. This is the core password hashing mechanism in the OpenBSD operating system.
This implementation uses libsodium library and it's implementation of Argon2id. Which is considere best option for Password hashing.
services.AddDefaultIdentity<IdentityUser>();
services.UpgradePasswordSecurity().UseBcrypt<IdentityUser>();
For options
services.UpgradePasswordSecurity()
.ChangeSaltRevision(BcryptSaltRevision.Revision2B) // default: BcryptSaltRevision.Revision2B
.ChangeWorkFactor(15) // default: 10
.UseBcrypt<IdentityUser>();
Scrypt
scrypt is a much newer construction (designed in 2009) which builds over PBKDF2 and a stream cipher called Salsa20/8, but these are just tools around the core strength of scrypt, which is RAM. scrypt has been designed to inherently use a lot of RAM (it generates some pseudo-random bytes, then repeatedly read them in a pseudo-random sequence). "Lots of RAM" is something which is hard to make parallel. A basic PC is good at RAM access, and will not try to read dozens of unrelated RAM bytes simultaneously. An attacker with a GPU or a FPGA will want to do that, and will find it difficult.
services.AddDefaultIdentity<IdentityUser>();
services.UpgradePasswordSecurity().UseScrypt<IdentityUser>();
For options (Default is Sensitive, the stronger)
services.UpgradePasswordSecurity()
.WithStrenghten(PasswordHasherStrenght.Interactive)
.UseScrypt<IdentityUser>();
Or more advanced options:
services.UpgradePasswordSecurity()
.WithMemLimit(33554432)
.WithOpsLimit(4L)
.UseScrypt<IdentityUser>();
Playground
Wanna see Argon2, Scrypt or BCrypt in action?
License
JPProject.PasswordHasher is Open Source software and is released under the MIT license. This license allow the use of JPProject.PasswordHasher in free and commercial applications and libraries without restrictions.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 2.0
- JpProject.AspNetCore.PasswordHasher.Core (>= 1.0.2)
- Microsoft.Extensions.Identity.Core (>= 2.0.0)
- Sodium.Core (>= 1.2.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.