2015-03-12: Google has announced that they are EOLing Google Code. As such, when Google Code goes away, this repository will go away. If you need a copy of the source code, please download it before January 25, 2016.

As mentioned below, this code has not been touched in quite some time, and there are more up-to-date versions out there. Please plan on migrating to one of these other versions.

2014-10-09: This project is not actively maintained. There is at least one other .NET BCrypt library out there that looks to have been modified fairly recently:

bcrypt.codeplex.com

Original page content follows.

BCrypt.net is a C# port of the jBCrypt library. It was ported by Derek Slager. I created this project and uploaded the code here to give it a more permanent home.

As Derek originally did the port, I will let his words describe the code (click here for Derek's original blog posting).

Using raw hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t.
Thomas Ptacek

BCrypt.net is an implementation of OpenBSD's Blowfish-based password hashing code, described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. It is a direct port of jBCrypt by Damien Miller, and is thus released under the same BSD-style license. The code is fully managed and should work with any little-endian CLI implementation -- it has been tested with Microsoft .NET and Mono.

Most popular password storage schemes are based on fast hashing algorithms such as MD5 and SHA-1. BCrypt is a computationally expensive adaptive hashing scheme which utilizes the Blowfish block cipher. It is ideally suited for password storage, as its slow initialization time severely limits the effectiveness of brute force password cracking attempts. How much overhead it adds is configurable (that's the adaptive part), so the computational resources required to test a password candidate can grow along with advancements in hardware capabilities.

Using BCrypt in your code is very simple:

``` // Pass a logRounds parameter to GenerateSalt to explicitly specify the // amount of resources required to check the password. The work factor // increases exponentially, so each increment is twice as much work. If // omitted, a default of 10 is used. string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));

// Check the password. bool matches = BCrypt.CheckPassword(candidate, hashed); ```