Skip to content

Commit 268fd56

Browse files
craigfowlercraigfowler
committed
Improve docs
1 parent 7d640ed commit 268fd56

1 file changed

Lines changed: 19 additions & 2 deletions

File tree

CSF.Security/PBKDF2CredentialVerifier.cs

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ namespace CSF.Security
3232
/// <summary>
3333
/// Abstract base type for an <see cref="ICredentialVerifier"/> which uses the PBKDF2 mechanism.
3434
/// </summary>
35-
public abstract class PBKDF2CredentialVerifier<TEnteredCredentials,TStoredCredentials>
35+
public class PBKDF2CredentialVerifier<TEnteredCredentials,TStoredCredentials>
3636
: ICredentialVerifier<TEnteredCredentials,TStoredCredentials>, ICredentialVerifier, IBinaryKeyCreator
3737
where TEnteredCredentials : ICredentialsWithPassword
3838
where TStoredCredentials : IStoredCredentialsWithKeyAndSalt
@@ -173,8 +173,25 @@ bool ICredentialVerifier.Verify(object enteredCredentials, object storedCredenti
173173
/// <summary>
174174
/// Initializes a new instance of the <see cref="T:CSF.Security.PBKDF2CredentialVerifier`2"/> class.
175175
/// </summary>
176+
/// <remarks>
177+
/// <para>
178+
/// The iteration count is the "work factor" indicating how difficult it is to perform the hashing operation.
179+
/// As of 2012, a sane starting point I have seen suggests 64000 iterations. This should double roughly every
180+
/// two years (thus 256k as of 2016).
181+
/// </para>
182+
/// <para>
183+
/// This however is only really a starting point. It is important to measure the performance on your own hardware
184+
/// and also consider performance on a "password cracking machine" (loaded with GPUs and the like). You are aiming
185+
/// for it to take as long as is acceptable on your own hardware (10ms or so for a multi-user network/web service
186+
/// seems reasonable) and also to take a long as possible on the reference "cracking machine".
187+
/// </para>
188+
/// <para>
189+
/// The aim is to ensure that you have acceptable performance for logins on your own hardware, but that crackers
190+
/// wouldn't be able to try thousands/millions of passwords every second if they compromised your database.
191+
/// </para>
192+
/// </remarks>
176193
/// <param name="iterationCount">Iteration count.</param>
177-
public PBKDF2CredentialVerifier(int iterationCount = 1000)
194+
public PBKDF2CredentialVerifier(int iterationCount = 256000)
178195
{
179196
if(iterationCount < 1)
180197
{

0 commit comments

Comments
 (0)