Support for new ASP.NET password storage practices
(11-15-2012, 11:54 PM)thorsheim Wrote: But .. uhh. Troy? You know ASP.NET WAAAY better than I do. Can't you configure it to use other algorithms as well, with the above being the (new) default?

Not out of the box, what you see above are the defaults and that's what you get if you provision a brand new ASP.NET site.

Having said that, they implement a provider model which allows you to re-implement components without changing the interfaces to the rest of the app. You can head over to NuGet and pull down a package like Zetetic's which'll do 5,000 rounds of PBKDF2 or 2^10 rounds of bcrypt:

Agree with all that it's way too weak by default. The universal provider with 1,000 rounds of PBKDF2 is certainly much better then the previous single round but still falls way short of where it needs to be. This is why I'd really like to see these patterns implemented so the respective risks of the various implementations can be quantified and developers can make their choices with all the facts in front of them.

Messages In This Thread
RE: Support for new ASP.NET password storage practices - by troyhunt - 11-17-2012, 03:04 AM