Bcrypt.net Versions Save

BCrypt.Net - Bringing updates to the original bcrypt package

2.1.4

5 years ago
  • Enhanced entropy defaults to Legacy384 which is basically the way it operated prior to this version anyway this will be maintained for v2.
  • Default rounds raised to 11 (in keeping with other frameworks/languages)
  • Add target for 4.7.2
  • Reduce regex timeout to 30ms from 300

2.1.2

6 years ago

https://github.com/BcryptNet/bcrypt.net/compare/2.1.1...62a57cd

  • Netstandard v2
  • Correct typos
  • Documentation updates (mostly typo related)
  • Csproj changes.

Deployment made for typos/netstandard.

2.1.1

7 years ago

v2.1.0

7 years ago
  • Adds enhanced mode; enhanced hashing allows you to opt-in to ensuring optimal entropy on your users passwords by first making use of the fast SHA384 algorithm before BCrypt hashes the password.
  • Added Hash interrogation to allow a hash to be passed in and its component parts be returned.
  • Added timeouts to regex and set compiler flags for msbuild so < .net 4.5 (where timeouts were added to regex) we use old regex method.
  • Alter safe equals from ceq/and to xor/and/ceq moving the check outside of the loop to mitigate against branch prediction causing a timing leak
  • Add new method PasswordNeedsReshash(string hash, int newMinimumWorkLoad) as a helper method for developers to use when logging a user in to increase legacy workloads
  • Add ValidateAndReplacePassword method to allow inline password validation and replacement. Throws BcryptAuthenticationException in the event of authentication failure.
  • Cleaned up xml-doc for intellisense
  • Increased compatibility by allowing BCrypt revisions from other frameworks/languages to be validated and generated whilst maintaining compatibility.
  • VS2017 RTW changes

2.0.1

7 years ago
  • Corrects usage of Secure random number generator
  • Change UTF8 handling to safer default (throwOnInvalidBytes: true)
    • .NET Encoding.UTF8 encoding instance does not raise exceptions used to encode bytes which cannot represent a valid encoding & will return the same 'unknown' character instead. This can cause entropy loss when converting from bytes to strings.
  • Change secure equals to match .net identity implementation
  • Inline vars in encipher method

2.0.0

7 years ago

Fresh release packaged for the majority of .net & containing safe-equals to reduce the risks from timing attacks https://en.wikipedia.org/wiki/Timing_attack / https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time Technically the implementation details of BCrypt theoretically mitigate against a timing attacks. But the Bcrypt.net official validation function was vulerable to timing attacks as it returned as soon as a non-matching byte was found in the hash comparison..

https://www.nuget.org/packages/BCrypt.Net-Next/2.0.0