Introduction
Learn and easy way to stored passwords in a SQL-Server database table using an NuGet package BCrypt.Net-Next and Microsoft ...
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
Why did you choose a 3rd party nuget package (albeit a well known one) over the built-in crypto libraries like Sha256, etc? I always opt for a built-in library over a 3rd party nuget that you have to maintain updates for among other things. Among many other classes, there's even ASP.NET Core's built-in PasswordHasher class
Many novice developers use nothing and can be bothered with figuring out the built-in libraries so this is one step up. This is perfect for novice developers and as they gain knowledge they can upgrade to the next level.
Certainly something is better than nothing. But unless you need something super custom (which is never recommended for security or encryption) it is far less code that you have to write and implement to use a built-in API. For example, you missed adding the salt. So right off the bat, this code is vulnerable and incorrect. A novice programmer wouldn't even know what a salt is. With the built-in API, salting is done for you and it's really hard to get it wrong. I'd suggest that your example is proof enough to use built-in API's and avoid a 3rd party nuget where you are required to do a lot more to make it secure.
It appears Karen doesn't know what salting is (or a rainbow attack either).
It should as a minimum have a disclaimer that the code as presented is insecure (with the why) at the top.
I know full well what salting and rainbow attack are.
Really? and yet you made a comment that this is good code for a novice (which is what the above code is, extremely amateurish when it comes to the most basic of security practices).
The responsible thing to do would be to edit this article and include a header that details why this code is insecure.
It is irresponsible to leave this article in it's current state with the stated comme t that there are no plans to make changes to this article.
I'm of the opinion (and have been for many years) that security code should come with jail time if a site is breached and shown to be vulnerable to the most basic of attacks, then hard time should be done by the designer of the security code.
I know this is a pointy view. This sort of code leads to detrimental effects down the line for people and negatively effects their lives. Over 35 years, I've seen it dozens of times.
Please do the right thing and either edit this article to include the use of salting, or just take it down.
** DO NOT USE THIS CODE - IT'S VULNERABLE **
This code suffers from a Rainbox attack. Using it without modification opens your users to having their password "revealed" because there is no "salting" of the password hashes.
Yes, I know what a hash is. Google what a rainbow attach is before commenting. BCrypt is fine, not salting the password hashes is not fine.
I just wish people who don't have security expertise would strop writing code that pretends to be secure.
@karenpayneoregon - i'm happy for you to reach out what is wrong with this post and the code presented, and how it can be fixed.
Not doing so could lead to long term detrimental effects to anyone who uses this code and the passwords that get revealed as a result and down the line reuse of common passwords (which everyone does...still)
In the interim, this article should have an edit that says it has a vulnerability and to check back once it's fixed.
Thanks for your feedback.
I'd like to know if you plan to address the issues presented. A thanks for the feedback response is not sufficient given I have experience where posts like this lead (being used in someone else's templates, etc, etc.)
As someone who is experienced in security, this sort of code is the reason why jnr devs think they know how to build a secure site.
Saying that passwords are hashed is no where near enough. The code presented gives the passwords to the person who has the hashed passwords. There is no need to find a collision, you just download the BCrypt rainbow dictionary and do a lookup for the matching password.
Please respond with how you plan to fix this article.
Good security is about transparency and disclosure. Please demonstrate good security practices by letting everyone know what is planned for this article in terms of edits.
No plans to change anything in this article.
OK, I'll reach out to MS regarding your MVP status then.
You do know there are 23M using this library, if it was all that bad there would not be that many downloads.
Wow, what a security nightmare. Junior devs should NOT be taught how it's done the simple way by cargo coding, but learn to understand what's happening and how to do it the right way. Learn about hashes, salt and pepper and start by using the BCL. In short: don't take any of this article as a best practice example.
resemble with Google password manager web browser menu