Stronger password hashing in .NET with Microsoft’s universal providers
Last month I wrote about our password hashing having no clothes [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html] which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story on this (read that article before this one if not), but the bottom line was that cryptographic hashing of passwords needs to...