如何在C＃中实现bcrypt.net [英] How do I implement bcrypt.net in C#

问题描述

所以我在尝试实施bcrypt时谷歌相当多，但是似乎很少有关于将bcrypt实现到c＃桌面应用程序的文章和那些缺乏细节的文章我通常不会为我的程序实现密码验证，因为它不是然而，对于我目前的项目需要，并且在研究之后我得出结论，快速哈希算法如SHA 256和SHA 512不是密码散列的好方法，因为攻击可以更容易地计算大量哈希，其中bcrypt减慢了这个处理a-lot



我在应用程序中有一个密码框，我想在用户输入密码时根据Microsoft SQL中的存储哈希值进行验证服务器表





所以我想请求社区提供一些帮助以及从哪里开始



如果有人有使用Bcrypt进行密码散列的经验并且愿意帮助我会非常感激



我尝试了什么：



所以我谷歌了试图实施bcrypt的公平数额然而似乎很少有关于将bcrypt实现到c＃桌面应用程序的文章

so I've google a fair amount on trying to implement bcrypt however it seems very few articles exist on implementing bcrypt into c# desktop applications and those that do lack detail I don't usually implement password validation for my programs as it not needed however for my current project it is need and after research ive come to the conclusion that fast hash algorithm such as SHA 256 and SHA 512 are not good way for password hashing as an attack can easier calculate lots of hashes where as bcrypt slows down this process a-lot

I've a password box within the application that i would like to whenever a user enters their password it validates against the stored hashed in the Microsoft SQL server table


so i would like to ask the community for some help on this and where to start

if anyone has any experience in using Bcrypt for password hashing and is willing to help i would greatly appreciate it

What I have tried:

so I've google a fair amount on trying to implement bcrypt however it seems very few articles exist on implementing bcrypt into c# desktop applications

推荐答案

使用SHA：攻击不必生成 价值观，他们可以尝试可能的（例如密码），字典攻击和/或每种可能的组合 - 所有这些都是有效的暴力和无知。生成哈希值的速度不是问题：只需将其设置为在同一帐户上短时间内进行少量尝试后，您将阻止登录24小时并通过其注册通知用户电子邮件地址。



这是防止此类强力攻击的唯一实用方法 - 更改将密码从SHA512散列到bcrypt的方式无法显着提高您的安全性（它可能会降低它，因为bcrypt比SHA512早了很多！）

Use SHA: an attack doesn't have to "generate" values, they can just try likely ones ("password" for example), dictionary attacks and / or "every combination possible" - all of which are effectively brute force and ignorance. The speed of generation of the hash value isn't a problem: just make it so that after a small number of attempts in a short period of time on the same account you "block" logins for 24 hours and notify the user via his registered email address.

That is the only practical way to prevent such "brute force" attacks - changing how you hash passwords from SHA512 to bcrypt doesn't measurably improve your security (It probably lowers it, given that bcrypt is a lot older than SHA512!)

我用Google搜索了bcrypt c＃这是第三个结果



使用BCrypt来填充密码：C＃和SQL Server的示例 [ ^ ]

I googled "bcrypt c#" and this was the third result

Use BCrypt to Hash Your Passwords: Example for C# and SQL Server[^]

对于BCrypt实现的C＃，请看：< a href =https://bcrypt.codeplex.com> BCrypt.Net 。



也许你的网络搜索问题正在寻找实施bcrypt进入C＃桌面应用程序。 桌面的概念或非桌面的任何内容如何与主题相关？搜索字符串可能只是BCrypt C＃。也许您需要的是拥抱分离关注点。 :-)



对于基于密码的身份验证，我建议使用SHA-2（或SHA-3）。这是正确使用它的问题。从堆中拍摄，你认为SHA算法太快并因此允许恶意艺术家计算大量哈希的论点看起来并不严重。假设合法用户只经历一次身份验证周期，因此稍微慢一点的哈希计算并不重要。但是你总是可以在服务器部分放慢这个循环。我不是说这会成为一种可行的安全技术;我的意思是，这种考虑打破了你对基于速度的其他算法的好处的猜测。一般来说，基于慢速的某些算法的安全性的整体思路听起来很荒谬。它与真正的安全功能无关，例如缺少后门和加密可行性蛮力攻击。另请参见 https://en.wikipedia.org/wiki/Hash_function_security_summary [ ^ ]。

-SA

For BCrypt implemented in C#, please see: BCrypt.Net.

Perhaps your Web search problem was looking for "implementing bcrypt into C# desktop applications". How the concept of "desktop" or anything which is "not desktop" could be related to the topic? The search string could be just "BCrypt C#". Maybe all you need is to embrace separation of concerns. :-)

And for password-based authentication, I would recommend using SHA-2 (or SHA-3). It's the matter of using it correctly. Shooting from the heaps, your argument that SHA algorithms are too fast and hence allow the malicious artist to "calculate a lot of hashes" just doesn't look serious. Let's say, the legitimate user goes through the authentication cycle only once, so a little slower calculation of the hash does not matter. But you can always slow down this cycle on the server part. I don't say that this would make a viable security technique; I just mean that this consideration breaks your speculations on the benefit of other algorithms based on speed. Generally, the whole idea of security of some algorithm based on its slow speed sounds absurd. It has nothing to do with real security features, such as lack of backdoor and cryptographic feasibility of brute-force attack. See also https://en.wikipedia.org/wiki/Hash_function_security_summary[^].

—SA

这篇关于如何在C＃中实现bcrypt.net的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！