PASSWORD HASHING METHODS AND ALGORITHMS ON THE .NET PLATFORM

• Published in: Сучасні інформаційні системи Vol. 8; no. 4; pp. 82 - 92
• Main Authors: Fedorchenko, Volodymyr, Yeroshenko, Olha, Shmatko, Oleksandr, Kolomiitsev, Oleksii, Omarov, Murad
• Format: Journal Article
• Language: English
• Published: National Technical University "Kharkiv Polytechnic Institute" 05.11.2024
• Subjects: computer systems; hash function; hashing algorithm; key generation function
• ISSN: 2522-9052
• DOI: 10.20998/2522-9052.2024.4.11

Web applications, which are widely used to provide services and collect information, have become a major target for attackers, especially with the emergence of government services that process sensitive data. The .NET software platform, popular for developing web applications, includes built-in hashing algorithms (HA) and key generation functions (KDF) to protect passwords. However, these were developed over two decades ago for different levels of threats. More modern alternatives, such as Bcrypt, Scrypt, and Argon2, offer improved protection against modern GPU, ASIC, and FPGA attacks, but require third-party implementation. Given the critical role of password protection in protecting user information, this research investigates the effectiveness of various hashing mechanisms on the .NET platform, which is an urgent need for securing modern web applications. The subject of study in the article is the features of hashing algorithms built-in and available in the libraries of the .NET software platform for password protection as the main aspect of user authentication. The purpose of the work is to compare and analyse the hashing algorithms built-in and available in the libraries of the .NET software platform for password protection as the main aspect of user authentication. Objectives: to review built-in algorithms such as MD5, SHA and PBKDF2, as well as third-party implementations of modern key derivation functions such as Bcrypt, Scrypt and Argon2, and to investigate their performance and cryptographic strength. Methods used: This included measuring hashing speeds for different password sets and analysing attack resistance using tools such as Hashcat and data from independent security research. The results show that while built-in algorithms such as MD5 and SHA256 are fast, they do not provide protection against modern threats such as rainbow table attacks and GPU-accelerated brute-force attempts. PBKDF2, which is standard in ASP.NET Core Identity, provides better security but is vulnerable to attacks using specialised hardware. Among the modern algorithms, Argon2 demonstrated the best balance of security and performance, providing protection against GPU, ASIC, and FPGA-based attacks.  Conclusions. The study concluded that Argon2 is the recommended algorithm for password hashing on the .NET platform, while Bcrypt is a suitable alternative for legacy applications. PBKDF2 with a high number of iterations can still provide strong protection. A promising direction for further research may be to determine whether modern memory-intensive key derivation functions can be used to improve password security in .NET applications.