Maybe I'm the only one who actually cares about this kind of thing, but to me, little mistakes make something look unprofessional, or make me assume I'm dealing with a person who can only write code and doesn't have a broader perspective on things.
ASP Security Kit is my humble attempt to solve membership management problem for applications built on ASP.NET Mvc platform. I have periodically observed that There are many common but essential requirements for most real-world web applications that aren't served well. Like action-based and resource (entity record) aware authorization. ASK handles all such must-to-have requirements pretty transparently and is highly flexible. This is because it's been developped and actively improved as a basis of many consultancy projects I have undertaken over the years.
It has also many nice-to-have things and many more things planned. I'm pretty excited about it and looking at the trafic I have received, many other feel the same way.
So thanks everyone for logging on to the site and special thanks to those who have shown interest and provided their email! I'll soon get in touch with you all personally sharing the progress and launch date.
I confess that I had to look up "key stretching". Is it usual to do this, and why do you do it?
"Salt ensures that attackers can't use specialized attacks like lookup tables and rainbow tables to crack large collections of hashes quickly, but it doesn't prevent them from running dictionary or brute-force attacks on each hash individually. High-end graphics cards (GPUs) and custom hardware can compute billions of hashes per second, so these attacks are still very effective. To make these attacks less effective, we can use a technique known as key stretching. The idea is to make the hash function very slow, so that even with a fast GPU or custom hardware, dictionary and brute-force attacks are too slow to be worthwhile. The goal is to make the hash function slow enough to impede attacks, but still fast enough to not cause a noticeable delay for the user."
I intentionally gave you some good options (PBKDF2, bcrypt) and some really bad ones (MD5, in house) to chose from. I assume that you are using a tested and trusted library to implement PBKDF2?
But isn't the work factor - the "number or iterations" in PBKDF2 is doing the same thing as key stretching, i.e. "make the hash function very slow". There is also a similar parameter in bcrypt. So you don't need to add anything else special to the crypto, and indeed shouldn't.
I'd makes bruto forcing harder - longer :-)
My i ask, what do you use asp.net mvc for?
ASP.Net MVC mostly for:
- Invoicing application (SMB development) - DDD application