Last post Feb 22, 2016 08:20 PM by BrynP
Feb 07, 2016 02:23 PM|BrynP|LINK
I am at the moment looking to rewrite a project I did in RubyOnRails in ASP.NET. All of the data for this project is on a Postgre server, which is not a problem, because I should be able to get access to its data.
However, before I get started, I did have a question and I believe it should be a quite simple question to answer.
On my RubyOnRails app I used Devise for user management, which I know defaults to using the BCrypt to hash the passwords. I know I can set up BCrypt fairly easily on ASP.NET, however, I am still somewhat naive when it comes to hashing, Would I be able to
still verify (or if need be, change) existing passwords through my ASP.NET project just as long as the same hash (BCrypt) is used for both project? Or is there something I could be potentially missing?
I thought I would check to see if such a thing were possible before I approach it.
Feb 16, 2016 08:55 AM|Mikesdotnetting|LINK
If the same algorithm is used to generate the hash, the resulting hash should be the same regardless of platform. In any event, this should be very simple for you to test for yourself. Take a known password from your existing app, and compare the hash to
one generated by a console app using a library that implements the BCrypt. Here's one: https://www.nuget.org/packages/Zetetic.Security
The only thing you need to check is the number of computations/iterations that Devise uses. The library I linked to uses 2^10.
Worst case scenario, you need to get all your users to change their passwords.
Feb 22, 2016 08:20 PM|BrynP|LINK
I will have to look up the iterations. But I will do the test and see how it works out. As you say, the worst case scenario is for members to change their password.
I was using a different library for BCrypt, I think it was BCrypt.NET off of my head, bit I'll check out Zetetic. I'll see what my settings are for Devise, it should be the default as I've not changed anything when I wrote my original project.