Some Salt and Pepper for bcrypt

We had Troy Hunt come along to chat with our students. He outlined methods of taking MD5 hashed passwords and then hashing them again with bcrypt. He also outlined [here] the use of a pepper key to encrypt the hashed output. One of the basic methods he outlined followed the Dropbox approach:

Ref [here]

With this, we take the password and then hash it. In Dropbox’s case, they use SHA512, and which gives us 64 bytes of hashed output. bcrypt can then be used with a random salt and a cost of 10. Finally, the output from bcrypt is then encrypted with AES using a global pepper key. This key is the same or a wide range of password hashes.

So, let’s code for bcrypt with different costs and hash values [here]:

namespace bcrypt
{
    using BCryptNet = BCrypt.Net.BCrypt;
  using System.Security.Cryptography;
    class Program
    {
        
        static void Main(string[] args)
        {
            int cost=4;
            string hashtype="SHA2";
            var hash=BCrypt.Net.HashType.SHA256;
            string msg="Pa$$w0rd";
            if (args.Length >0) msg=args[0];
            if (args.Length >1) cost= int.Parse(args[1]);
            if (args.Length >2) hashtype= args[2];
        if…