What is the correct way to use BCrypt?

5

I want to give a satisfactory level of security to my system. In my searches I found several functions that create hashs for passwords, but of all of them, what I saw the most recommended were PBKDF2 and BCrypt. Home In all searches however, what I saw most was: "If misused, a hash is useless!".

  

So here's the question, what is the correct way to create a hash   using BCrypt, for example?

Follow my code as it currently is:

public static string HashGeneration(string password)
{
      // Configurations
      int workfactor = 10; // 2 ^ (10) = 1024 iterations.

      string salt = BCrypt.Net.BCrypt.GenerateSalt(workfactor);
      string hash = BCrypt.Net.BCrypt.HashPassword(password, salt);

      return hash;
}

public static bool PasswordCompare(string hash, string password)
{
      return BCrypt.Net.BCrypt.Verify(password, hash);
}
    
asked by anonymous 18.09.2015 / 17:04

1 answer

3

Your code seems to me correct. I am not aware of this particular library (I was surprised that workFactor was used as a parameter of GenerateSalt , not HashPassword , but apparently it is anyway ), I do not even know if the quality of its implementation is satisfactory (a lot of people seem to use it, though, so I suppose the level of scrutiny it received is ok), but I do not see any potential problems in this usage scenario.

Like many others, this library already helps you by saving the salt and the working factor in the output of the hash (I think it's $sal$fator$hash , or maybe $versão$fator$sal+hash , or something), so just use the output of HashPassword no Verify that the library takes care of the details.

As for the best value to use as a work factor, the same my other response recommendation is still valid : Use the highest value that is "tolerable" in your application. Set a "target" for how long the hash check should take each login, and adjust the work factor so that it takes approximately that time. This answer in security.SE makes an interesting calculation - taking the current date into consideration when determining the work factor ( by 2015, a 16 factor is suggested) - but there is no absolute answer to that. Keep in mind that the higher the factor, the harder it will be for the attacker to guess the password:

(and as you can see in the table above, a weak password is beyond saving by any hash, so make sure passwords - especially admin - have minimal security parameters)

    
18.09.2015 / 17:43