4

I've recently known about using SHA256 to generate password hash for salted passwords. After reading a bit about salted passwords and security, I saw rfc2898derivebytes and passwordderivebytes classes in .NET. Is there any advantage to using rfc2898derivebytes class than the usual hashing method (generate salt, generate salted password, store both in db)?

John Smith
  • 7,243
  • 6
  • 49
  • 61
Bahamut
  • 1,929
  • 8
  • 29
  • 51

1 Answers1

7

A standard hash, such as SHA256, can be generated extremely quickly on modern hardware.

This is generally considered a good thing, but there is a downside: the bad guys attempting to crack your passwords can also generate those hashes extremely quickly, meaning that they can discover your passwords relatively easily using brute-force.

Key derivation algorithms such as bcrypt and PBKDF2 (aka Rfc2898DeriveBytes) are much slower than standard hash algorithms. They use a standard hash algorithm internally -- SHA1 in the case of Rfc2898DeriveBytes -- but they iterate thousands of times to generate the derived key.

So although your machine needs to do a lot more work to generate a "hash" using an iterative key derivation algorithm, the bad guys attempting to crack your passwords also have to do a lot more work. This is a good thing.

The Rfc2898DeriveBytes class allows you to specify the number of iterations to use (I think the default is 1,000). The more iterations that you use, the harder it will be for an attacker to crack your passwords using brute-force.

LukeH
  • 263,068
  • 57
  • 365
  • 409
  • thanks. clears the problem. one more thing though, this only means that PBKDF2 generation is only slow during the generation (user account creation) or will I be using this to verify user login too? – Bahamut Nov 15 '12 at 11:06
  • It'll be slow during creation *and* login (because you need to regenerate a key from the entered password before comparing it to the stored key). Using an iterative algorithm like PBKDF2 requires a trade-off; try to use the maximum number of iterations that you can stand, although only you can decide what that is (determined by the load on your machine, the delay that your users are prepared to accept etc). – LukeH Nov 15 '12 at 11:37
  • Am I right, that the conclusion from your explanation is the following: PBKDF2 is better than SHA256 _only_ because it makes several thousands of operations? On my computer, SHA256 calculation is about 5 times faster, so will it be same secure if I calculate, say 500K of SHA256 instead of 100K of PBKDF2? Thanks! – Mar May 16 '16 at 11:50