Open dotnetchris opened 12 years ago
If AppHarbor is very serious about this package it should either switch to PBKDF2 (what I recommend) otherwise it should proactively assume the burden and costs to have the BCrypt implementation verified such that AppHarbor.Web.Security can be viewed as truly secure for it's dependence on BCrypt.
I want to point out that only the example project has a dependency on BCrypt. The base AppHarbor.Web.Security library itself does not.
If merely the sample uses BCrypt, I would strongly advocate switching to PBKDF2 in the sample. This will prevent users from following the sample and unknowingly open themselves up to liability for not using a verified algorithm (especially government software development)
@dotnetchris you can always submit a pull request to show how PBKDF2 would be used.
PBKDF2 is the only verified implementation in .NET
http://stackoverflow.com/questions/481160/is-bcrypt-a-good-encryption-algorithm-to-use-in-c-where-can-i-find-it/6228051#6228051