I was just reading today about yet another site that stored their user’s passwords in plain text. Of course the issue is if you get hacked you expose everyone’s passwords to the world, passwords they might be using on other sites, etc.
There is a lot of debate of how you should go about encrypting/hashing/obscuring passwords and with a little research I found a lot of people seem to think BCrypt is the way to go.
The recent hack of MtGox, the now infamous Bitcoin exchange, illustrates (yet again) that companies are storing cleartext passwords. A great HackerNews discussion dragged me into the murky world of password hashing; the result being the article quoted and linked to above.
My interest is in the technology stack I’m familiar with, namely WISC. The problem is that Microsoft don’t offer the bcrypt solution as a potential password hashing scheme under ASP.NET. ASP.NET Membership uses SHA1 by default (and HMACSHA256 in .NET 4.0 Framework), but the more I read about this, I come to the conclusion that such hashing algorithms just aren’t good enough.
Password hashing done properly (i.e. not the standard ASP.NET Membership scheme) uses bcrypt, because it is slow, and introduces a work factor, namely, a trade-off of security versus speed. As hardware gets faster and cloud computing becomes the norm, it becomes very cheap to crack hashing algorithms that are designed to be fast.
The quoted article outlines how you can use open source bcrypt in ASP.NET and if you want to understand more about custom hashing algorithms in .NET you should take a look in HashAlgorithm.