Table of Contents

Releases

v5.x

v5.0.0 - Breaking change

  • Drops support for .net 2, 3.5, 5.0
  • Renamed namespace to BcryptNet to fix the issue with the class and namespace clashing.

Migrating to V5

Enhanced Entropy V1 is removed in V5, if you are using this feature you will need to migrate to V2 or V3.

Namespace Change

The namespace has been changed to BCryptNet to avoid clashes with the class name.

Enhanced Entropy V2

The code has been split to avoid the endless growth of the main class and the signatures altered to more clearly show which version is being used.

Before

var enhancedHashPassword = BCrypt.EnhancedHashPassword(myPassword);
var validatePassword = BCrypt.EnhancedVerify(myPassword, enhancedHashPassword);

After

var enhancedHashPassword = BCryptExtendedV2.HashPassword(myPassword);
var validatePassword = BCryptExtendedV2.Verify(myPassword, enhancedHashPassword);

v4.x

  • v4.0.3 - Addition of .net 6 targeting; tidy up targets.
  • v4.0.2 - Addition of .net 5 targeting; wrap shaxxx creation in using to release.
  • v4.0.0 (breaking changes) - A bug in Enhanced Hashing was discovered that causes the hashes created to be inoperable between different languages. V4 provides the fix for this as well as adding test vectors from PHP and Python to ensure the issue remains fixed in the future. V4 also removes the legacy 384 option that came before Base64 was added.

v3.x

  • v3.5.0 - A bug in Enhanced Hashing was discovered that causes the hashes created to be inoperable between different languages. As part of the fix 3.5 release contains the ability to Verify and HashPassword were given an additional v4CompatibleEnhancedEntropy parameter. This allows the user to verify their Enhanced hash as normal; then re-hash + store using V4. This functionality is purely to allow migration and is removed in V4.
  • v3.3.3 -Performance (heap reduction) for netcore and removal of regex https://github.com/BcryptNet/bcrypt.net/releases/tag/3.3.0

v2.x

v2.1.3 -

  • Update test SDK
  • Match versions between Strong-Signed / Normal package
  • Update copyright year in metadata
  • Typo correction

v2.1.2 -

  • NetStandard2 and Net 4.7 addition
  • Correct typo in PasswordNeedsReshash to PasswordNeedsRehash
  • Consolidate config changes

v2.1.1 -

  • Minor csproj changes / typo

v2.1.0 -

  • Adds enhanced mode; enhanced hashing allows you to opt-in to ensuring optimal entropy on your users passwords by first making use of the fast SHA384 algorithm before BCrypt hashes the password.
  • Added Hash interrogation to allow a hash to be passed in and its component parts are returned.
  • Added timeouts to regex and set compiler flags for msbuild so < .net 4.5 (where timeouts were added to regex) we use old regex method.
  • Alter safe equals from ceq/and to xor/and/ceq moving the check outside of the loop to mitigate against branch prediction causing a timing leak
  • Add new method PasswordNeedsRehash(string hash, int newMinimumWorkLoad) as a helper method for developers to use when logging a user in to increase legacy workloads
  • Add ValidateAndReplacePassword method to allow inline password validation and replacement. Throws BcryptAuthenticationException in the event of authentication failure.
  • Cleaned up XML-doc for intellisense
  • Increased compatibility by allowing BCrypt revisions from other frameworks/languages to be validated and generated whilst maintaining compatibility.
  • VS2017 RTW changes

v2.0.1 -

  • Corrects usage of Secure random number generator
  • Change UTF8 handling to safer default (throwOnInvalidBytes: true)
  • .NET Encoding.UTF8 encoding instance does not raise exceptions used to encode bytes which cannot represent a valid encoding & will return the same 'unknown' character instead. This can cause entropy loss when converting from bytes to strings.
  • Change secure equals to match .net identity implementation
  • Inline vars in encipher method

v2.0.0 -

Fresh release packaged for the majority of .net & containing safe-equals to reduce the risks from timing attacks https://en.wikipedia.org/wiki/Timing_attack / https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time Technically the implementation details of BCrypt theoretically mitigate against timing attacks. But the Bcrypt.net official validation function was vulnerable to timing attacks as it returned as soon as a non-matching byte was found in the hash comparison.