Open dotnetchris opened 12 years ago
dotnetchris
commented
12 years ago If AppHarbor is very serious about this package it should either switch to PBKDF2 (what I recommend) otherwise it should proactively assume the burden and costs to have the BCrypt implementation verified such that AppHarbor.Web.Security can be viewed as truly secure for it's dependence on BCrypt.
mehrdada
commented
12 years ago I want to point out that only the example project has a dependency on BCrypt. The base AppHarbor.Web.Security library itself does not.
dotnetchris
commented
12 years ago If merely the sample uses BCrypt, I would strongly advocate switching to PBKDF2 in the sample. This will prevent users from following the sample and unknowingly open themselves up to liability for not using a verified algorithm (especially government software development)
nberardi
commented
12 years ago @dotnetchris you can always submit a pull request to show how PBKDF2 would be used.
PBKDF2 is the only verified implementation in .NET
http://stackoverflow.com/questions/481160/is-bcrypt-a-good-encryption-algorithm-to-use-in-c-where-can-i-find-it/6228051#6228051