Support for new ASP.NET password storage practices
To be fair, PBKDF2(HMAC-SHA1, pw, salt, 1000, 256) is absolutely much better than the previous SHA1(pw, salt). Completely insufficent and quite silly, but still better than we had. PBKDF2(HMAC-SHA-3-256, pw, salt, 100000, 256) would of course be better, but Microsoft seems dead against PBKDF2 for anything other than SHA1.

Atom, I would be extremely interested in the addition of PBKDF2 (PKCS #5, RFC2898) hash iteration types, though as # of rounds can vary (and should vary - see, I'd strongly suggest making the # of rounds a parameter, preferably on a password by password basis, i.e.

More flexible still, and very useful would be to also support the output length in bits as a parameter.

Messages In This Thread
RE: Support for new ASP.NET password storage practices - by Incisive - 12-12-2012, 09:30 PM