The password leak of LinkedIn proved how important it is to securely hash your passwords. However, even hashing passwords with a salt is not secure with the 'normal' hashing algorithms (such as MD5 and the SHA family), since they are optimized for speed, which allows hackers compute 2300 million hashes per second (brute force).

There are hashing algoritms that are safer to use because they are much more computational intensive, such as PBKDF2, Bcrypt, PBMAC, and scrypt. These hashing algorithms however, don't seem to be included in the .NET framework.

So, which performance intensive hashing algorithms are included in the .NET framework?

ANSWER: PBKDF2 is included in the framework and this site shows how to use it properly.

I think it's not really a meaningful Class name, but I do think it is included in the .NET framework. According to multiple sources, Rfc2898DeriveBytes is actually a PBKDF2 implementation. MSDN says so as well.

See Why do I need to use the Rfc2898DeriveBytes class (in .NET) instead of directly using the password as a key or IV? and PBKDF2 implementation in C# with Rfc2898DeriveBytes

for example.

There is also:

http://bcrypt.codeplex.com/ (bcrypt)

http://www.zer7.com/software.php?page=cryptsharp (scrypt, etc)

There is no hashing algorith that is 100% secure. The linkedin hack was more due to infrastructure/code security than the hashing algorithm. Any hash can be calculated, it just takes longer the more complicated the hashing algortihm is. Some attacks such as collision attacks are not actually much slower to accomplish on a more complicated hash.

I always ensure that i hash passwords (never just encrypt), restrict access to servers. All developers workingfor me understand at least the basics of security (sql injection, overflows etc) and any high profile site i work on is pen-tested.