49 lines
1.3 KiB
Plaintext
49 lines
1.3 KiB
Plaintext
== How to fix it in ASP.NET
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,csharp,diff-id=201,diff-type=noncompliant]
|
|
----
|
|
using System.Security.Cryptography;
|
|
|
|
RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
|
|
byte[] salt = new byte[32];
|
|
rngCsp.GetBytes(salt);
|
|
Rfc2898DeriveBytes kdf = new Rfc2898DeriveBytes(password, salt, 100, HashAlgorithmName.SHA256); // Noncompliant
|
|
string hashed = Convert.ToBase64String(kdf.GetBytes(256 / 8));
|
|
----
|
|
|
|
Using `using Microsoft.AspNet.Identity`:
|
|
[source,csharp]
|
|
----
|
|
using Microsoft.AspNet.Identity;
|
|
|
|
string password = "NotSoSecure";
|
|
PasswordHasher hasher = new PasswordHasher();
|
|
string hash = hasher.HashPassword(password); // Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,csharp,diff-id=201,diff-type=compliant]
|
|
----
|
|
using System.Security.Cryptography;
|
|
|
|
RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
|
|
byte[] salt = new byte[32];
|
|
rngCsp.GetBytes(salt);
|
|
Rfc2898DeriveBytes kdf = new Rfc2898DeriveBytes(password, salt, 100_000, HashAlgorithmName.SHA256); // Compliant
|
|
string hashed = Convert.ToBase64String(kdf.GetBytes(256 / 8));
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/pbkdf2-parameters.adoc[]
|
|
|
|
=== Going the extra mile
|
|
|
|
include::../../common/extra-mile/peppering.adoc[]
|
|
|