You are not logged in. Your edit will be placed in a queue until it is peer reviewed.
We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.
Required fields*
- 27To quote the linked comment: "[we] moved to PBKDF2 as it is built into the .NET framework, whereas BCrypt would require us to verify an implementation". Note that the comment doesn't say the algorithm is better, just that SE Dev Team considers the built-in PBKDF2 implementation more trusted than an external library (which is, ultimately, a judgement call).Piskvor left the building– Piskvor left the building2011-08-09 09:07:27 +00:00Commented Aug 9, 2011 at 9:07
- 4@Piskvor I updated my answer. This isn't about what the SO team considers secure but a judgement call between inherently proven secure or hopefully secure. The latter when it comes to cryptography is unacceptable.Chris Marisic– Chris Marisic2011-08-09 12:42:23 +00:00Commented Aug 9, 2011 at 12:42
- 8I wonder how SO migrated all the bcrypt hashed passwords to the new hashes? Wouldnt they need the raw passwords to hash it using the new algorithm?Dharmendar Kumar 'DK'– Dharmendar Kumar 'DK'2014-01-06 22:44:53 +00:00Commented Jan 6, 2014 at 22:44
- 9@DK I don't even think you have to ask them to reset their passwords. On next log in (where they supply their plaintext password) you can do it I believe.Matt Kocaj– Matt Kocaj2014-07-08 05:54:52 +00:00Commented Jul 8, 2014 at 5:54
- 13This is poor advice and I am surprised it has so many upvotes. Verifying a BCrypt implementation in a managed language is much, much more trivial than verifying something like an entire SSL implementation in C. Heartbleed is completely irrelevant; you'd be better off mentioning something like PHP type coercing problems with hash equality checks. Plus while largely suitable in a practical sense, PBKDF2 is a KDF, not a password hashing algorithm, whereas BCrypt is better suited. Regardless, it would make much more sense to use Argon2 these days anyway, for which there is a well-tested C# libraryPolynomial– Polynomial2017-01-02 21:43:54 +00:00Commented Jan 2, 2017 at 21:43
| Show 17 more comments
How to Edit
- Correct minor typos or mistakes
- Clarify meaning without changing it
- Add related resources or links
- Always respect the author’s intent
- Don’t use edits to reply to the author
How to Format
- create code fences with backticks ` or tildes ~ ```
like so
``` - add language identifier to highlight code ```python
def function(foo):
print(foo)
``` - put returns between paragraphs
- for linebreak add 2 spaces at end
- _italic_ or **bold**
- indent code by 4 spaces
- backtick escapes
`like _so_` - quote by placing > at start of line
- to make links (use https whenever possible) <https://example.com>[example](https://example.com)<a href="https://example.com">example</a>
How to Tag
A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.
- complete the sentence: my question is about...
- use tags that describe things or concepts that are essential, not incidental to your question
- favor using existing popular tags
- read the descriptions that appear below the tag
If your question is primarily about a topic for which you can't find a tag:
- combine multiple words into single-words with hyphens (e.g. python-3.x), up to a maximum of 35 characters
- creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you
lang-cs