.net implementation of bcrypt

Question

Does anyone know of a good implementation of bcrypt, I know this question has been asked before but it got very little response. I'm a bit unsure of just picking an implementation that turns up in google and am thinking that I may be better off using sha256 in the System.Security.Cryptography namespace, at least then I know it's supported! What are you thoughts?

ine · Accepted Answer · 2022-12-30T19:25:03.167

58

It sounds like you are looking for BCrypt.net:

BCrypt.net is an implementation of OpenBSD's Blowfish-based password hashing code, described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. It is a direct port of jBCrypt by Damien Miller, and is thus released under the same BSD-style license. The code is fully managed and should work with any little-endian CLI implementation -- it has been tested with Microsoft .NET and Mono.

edited Dec 30 '22 at 19:25

answered May 16 '09 at 22:02

ine

14,014
8
55
80

Yes, that was the one I found with Google also. Do you use it, or do you know if it's widely used? – Gareth May 17 '09 at 06:54
Haven't used BCrypt, but judging from references from other internet sites, it looks like this implementation is really good. However, unless you have a pressing need to use BCrypt specifically, why not just go with the built-in SHA256 or SHA512? – ine May 17 '09 at 19:35
2

The reason I thought about using BCrypt was because of this article http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ and it claimed BCrypt is the way to go. – Gareth May 19 '09 at 09:11
Roger that. That article is the same reason I gooogled bcrypt for .NET and came to this question on stackoverflow. Specifically, from the article, you shouldn't use SHA256 or SHA512 because those are both optimized for SPEED, and a password generating hash should be SLOW, or TAKE A LONG TIME. – Adam Nofsinger Jun 13 '09 at 16:02
13

Just wanted to add a note that if you are using BCrypt.net on Windows Server 2008 you'll need to name it something other than BCrypt.dll or it will conflict with the new Windows API in Vista that calls functions in a 'bcrypt.dll', so if you have Bcrypt.net as Bcrypt.dll in your web app bin/ directory Windows won't be able to find the correct dll and you will get some cryptic errors. – thelsdj Apr 03 '10 at 17:47
5

Note: The following reason on why to use bCrypt (for those interested). http://codahale.com/how-to-safely-store-a-password/ – thames Dec 15 '10 at 15:45
1

Article moved: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow- tables-what-you-need-to-know-about-s.html – Code Silverback May 07 '12 at 13:46
Note that this library was last updated in 2007, while the Codeplex links from Ryan Emerle and Maksym Kozlenko's answers was last updated November 2013. – Anti-weakpasswords Apr 04 '14 at 03:05
Link's broke... – Benj Sanders Sep 23 '22 at 16:27
here for anyone from the future like me: https://github.com/BcryptNet/bcrypt.net – Ahmed Mohammed Dec 23 '22 at 14:36

score 25 · Answer 2 · answered Nov 19 '12 at 23:56

BCrypt.Net seems to be a most popular library at this moment

http://bcrypt.codeplex.com/

Here is an example how to use it for hashing password:

[TestMethod]
    public void BCryptTest()
    {
        const string password = "PASSWORD";
        const int workFactor = 13;

        var start = DateTime.UtcNow;
        var hashed = BCrypt.Net.BCrypt.HashPassword(password, workFactor);
        var end = DateTime.UtcNow;

        Console.WriteLine("hash length is {0} chars", hashed.Length);
        Console.WriteLine("Processing time is {0} with workFactor {1}", end - start, workFactor);
        Console.WriteLine("Hashed password: {0} ", hashed);
        Console.WriteLine("correct password {0}", BCrypt.Net.BCrypt.Verify("PASSWORD", hashed));
        Console.WriteLine("incorrect password {0}", BCrypt.Net.BCrypt.Verify("PASSWORd", hashed));
    }

Sample output:

hash length is 60 chars
Processing time is 00:00:01.0020000 with workFactor 13
Hashed password: $2a$13$iBqdG7ENBABEargiyzGlTexPsmviF/qrFxUZB2zce7HKF6MoBNhEq 
correct password True
incorrect password False

score 23 · Answer 3 · answered Dec 17 '10 at 15:38

23

You can find an updated implementation of BCrypt for .Net here: http://bcrypt.codeplex.com/

answered Dec 17 '10 at 15:38

Ryan Emerle

15,461
8
52
69

score 6 · Answer 4 · answered Jan 22 '11 at 07:29

I needed a BCrypt implementation when moving something from PostgreSQL (which has pg_crypto) to SQLite (which doesn't), so I wrote my own. Seeing from this message I'm not the only one needing this, I've decided to slap a license on it and release it. The URL is:

http://zer7.com/software.php?page=cryptsharp

The Blowfish implementation behind it is a port of Bruce Schneier's public domain C implementation, and succeeds on all the official test vectors.

The BCrypt code I wrote myself based on the spec. I also created a PHP script which generates random passwords of length 0 to 100 and salts, crypts them, and outputs them to a test file. The C# code matches these 100% of the time so far. You are welcome to use the script and test this yourself.

The library also includes PBKDF2 code which works for any HMAC as opposed to .Net's SHA-1-only implementation (added today -- I'm intending to do SCrypt in C# soon and that requires PBKDF2 with HMAC-SHA256). You could make yourself a scheme based on this too, if you wanted.

Ioanna · Answer 5 · 2019-01-18T22:29:46.843

0

Wrong answer, please see below

All "Cng" (Cryptography Next Generation) postfixed algorithms in the .Net Framework now use bcrypt. E.g. SHA256Cng.

Actually the MS BCrypt (BestCrypt) does not refer to the one based on the Blowfish cipher - thank you, RobbyD, for the comment.
Will not delete the answer, just in case anyone else makes the same confusion.

edited Jan 18 '19 at 22:29

answered Aug 29 '18 at 09:10

Ioanna

1,311
2
23
36

1

BCrypt in that context refers to a Microsoft PR name BestCrypt. See http://stackoverflow.com/questions/9711568/does-winapis-bcrypt-h-actually-support-bcrypt-hashing/30014282#30014282 for more details. – RobbyD Jan 17 '19 at 16:01

score -2 · Answer 6 · answered Aug 26 '15 at 20:04

-2

Have you tried this MS BCryptCreateHash C++ function perhaps?? Seems to be present from Windows Server 2008 and Windows Vista.

Also, you can probably check the following MS C# BCryptNative.cs class too perhaps.

answered Aug 26 '15 at 20:04

Deb

737
1
5
20

see http://stackoverflow.com/questions/9711568/does-winapis-bcrypt-h-actually-support-bcrypt-hashing/30014282#30014282 - the windows bcrypt stuff is not related to bcrypt. – ben Sep 03 '15 at 11:27

.net implementation of bcrypt

6 Answers6

Linked