JpProject.AspNetCore.PasswordHasher.Scrypt 1.0.2

There is a newer version of this package available.
See the version list below for details.
dotnet add package JpProject.AspNetCore.PasswordHasher.Scrypt --version 1.0.2
NuGet\Install-Package JpProject.AspNetCore.PasswordHasher.Scrypt -Version 1.0.2
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="JpProject.AspNetCore.PasswordHasher.Scrypt" Version="1.0.2" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add JpProject.AspNetCore.PasswordHasher.Scrypt --version 1.0.2
#r "nuget: JpProject.AspNetCore.PasswordHasher.Scrypt, 1.0.2"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install JpProject.AspNetCore.PasswordHasher.Scrypt as a Cake Addin
#addin nuget:?package=JpProject.AspNetCore.PasswordHasher.Scrypt&version=1.0.2

// Install JpProject.AspNetCore.PasswordHasher.Scrypt as a Cake Tool
#tool nuget:?package=JpProject.AspNetCore.PasswordHasher.Scrypt&version=1.0.2

Improved PasswordHasher


Custom PasswordHasher for ASP.NET Core Identity. There are 3 options: Argon2id, Scrypt and Bcrypt.

A strong password storage strategy is critical to mitigating data breaches that put the reputation of any organization in danger. Hashing is the foundation of secure password storage.

Table of Contents


Why?

ASP.NET Core Identity uses PBKDF2. With HMAC-SHA256. A 128-bit salt. 256-bit subkey and 10.000 iterations. It's FIPS compliant and recommended by NIST. Whilst it's considered good enough, isn't the best choice against newer atack. Such as GPU based.

Wanna know more why Hash password? Read here or here.


Download

The latest stable release of the JPProject PasswordHasher is available on NuGet or can be downloaded from GitHub.


Configure

There are specific configuration for each one of algorithms.

Argon2

Argon2 is the winner of the password hashing competition and should be considered as your first choice for new applications.

Argon2 is cryptographic hashing algorithm, most recommended for password hashing. It is designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.

This implementation uses libsodium library and it's implementation of Argon2id. Which is considere best option for Password hashing.

    services.AddDefaultIdentity<IdentityUser>();
    services.UpgradePasswordSecurity().UseArgon2<IdentityUser>();

For options (Default is Sensitive, the stronger)

    services.UpgradePasswordSecurity()
                    .WithStrenghten(PasswordHasherStrenght.Interactive)
                    .UseArgon2<IdentityUser>();

Or more advanced options:

    services.UpgradePasswordSecurity()
                    .WithMemLimit(33554432)
                    .WithOpsLimit(4L)
                    .UseArgon2<IdentityUser>();

BCrypt

bcryps was designed by reusing and expanding elements of a block cipher called Blowfish. The iteration count is a power of two, which is a tad less configurable than PBKDF2, but sufficiently so nevertheless. This is the core password hashing mechanism in the OpenBSD operating system.

This implementation uses libsodium library and it's implementation of Argon2id. Which is considere best option for Password hashing.

    services.AddDefaultIdentity<IdentityUser>();
    services.UpgradePasswordSecurity().UseBcrypt<IdentityUser>();

For options

    services.UpgradePasswordSecurity()
                    .ChangeSaltRevision(BcryptSaltRevision.Revision2B) // default: BcryptSaltRevision.Revision2B
                    .ChangeWorkFactor(15) // default: 10
                    .UseBcrypt<IdentityUser>();

Scrypt

scrypt is a much newer construction (designed in 2009) which builds over PBKDF2 and a stream cipher called Salsa20/8, but these are just tools around the core strength of scrypt, which is RAM. scrypt has been designed to inherently use a lot of RAM (it generates some pseudo-random bytes, then repeatedly read them in a pseudo-random sequence). "Lots of RAM" is something which is hard to make parallel. A basic PC is good at RAM access, and will not try to read dozens of unrelated RAM bytes simultaneously. An attacker with a GPU or a FPGA will want to do that, and will find it difficult.

    services.AddDefaultIdentity<IdentityUser>();
    services.UpgradePasswordSecurity().UseScrypt<IdentityUser>();

For options (Default is Sensitive, the stronger)

    services.UpgradePasswordSecurity()
                    .WithStrenghten(PasswordHasherStrenght.Interactive)
                    .UseScrypt<IdentityUser>();

Or more advanced options:

    services.UpgradePasswordSecurity()
                    .WithMemLimit(33554432)
                    .WithOpsLimit(4L)
                    .UseScrypt<IdentityUser>();

Playground

Wanna see Argon2, Scrypt or BCrypt in action?


License


JPProject.PasswordHasher is Open Source software and is released under the MIT license. This license allow the use of JPProject.PasswordHasher in free and commercial applications and libraries without restrictions.

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
3.0.3 534 3/21/2020
3.0.2 426 3/4/2020
3.0.1 583 10/11/2019
3.0.0 582 10/3/2019
1.0.2 601 8/24/2019