The right way to implement password hashing using PBKDF2 and C#

Following from my previous post about hashing using BCrypt and in response to some comments I received on Google+, I decide to provide an alternative hashing implementation using PBKDF2.

As you will notice, the implementation is somewhat bigger than the one provided for BCrypt but in effect, both code segments perform the same task. First we create a hash from the plain text password and then we validate a password against the stored hash.

NOTE: The constants, like the iterations, can be changed to tweak the hash strength.

The code above is pretty self explanatory. You call PasswordHash.HashPassword(plaintext) to get the hash back and then you call PasswordHash.ValidatePassword(plainText, storedHash) to check if the supplied password matches the originally supplied one by the user.

Personally, I'm a fan of BCrypt for its simplicity, but it is nice to know that there are two ways to achieve the same thing.

What is your preference? Did you find this useful? Let me know in the comments.

  • Share this post on