Stronger password hashing in .NET with Microsoft’s universal providers

added by troyhunt
7/23/2012 9:19:37 AM

4 Kicks, 482 Views

Last month I wrote about our password hashing having no clothes which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story on this (read that article before this one if not), but the bottom line was that cryptographic hashing of passwords needs to be way slower. Not half the speed or even one tenth of the speed, it needs to be thousands of times slower. The conclusion of the post was frankly, a little unsatisfying. Why? Because it essentially said “If you take my favourite technology stack and use the default implementation to store passwords, it’s insecure”. Yes, I suggested alternative approaches but these didn’t work natively with the membership provider or required machine.config access so they really weren’t conducive to today’s world of getting an app up into the cloud in 5 minutes. But it turns out that we’re on the cusp of solving this for ASP.NET and you can access a better solution right now. In fact you may even be using it already and just don’t know it because until now, it really hasn’t been publicised.


7/23/2012 9:20:41 AM
I'm glad that Microsoft has now made the default configuration more secure. I think they probably could have upped the iterations to 5,000 (or more?) like Zetetic did, but I'm happy that they've made an effort.

7/25/2012 8:57:54 AM
But like the article states, you always face performance issues when you up the security to higher levels. And more often then not, logins aren't simply logins, sometimes there are other business rules/factors that also take shape during login. Compound that with a higher iteration rate and you could start slowing down your app significantly and we all know if something is even remotely difficult to do within any application, users will immediately hate it and forget about using it.