After some reader feedback and a real-life deployment, I've re-factored the password utilities library to be more functional, easier to use, and more maintainable. This has enabled the following improvements:
- The ability to define and use any combination of the default and custom character sets when generating passwords. There are six default character sets covering the normal ASCII range. You can define as many custom character sets as you wish, with the caveat that the current code allows passwords to be generated from a maximum of 255 unique characters.
- The ability to encode all of the hash information needed to verify the associated password at a later stage. This includes the hash algorithm (SHA1-160, SHA2-256, SHA3-512, BCRYPT-192, or SCRYPT-512), the salt/hash encoding format (HEX or BASE64), the work factor (number of hash iterations), the encoded password salt, and the encoded password hash. This information is returned in a printable ASCII string that can be stored in a database or other location.
- An interactive Windows Forms user interface that demonstrates most of the library's capabilities.
- Some usability and library interface improvements along with a couple of bug fixes.
So to recap on what the library now offers:
- Variable-length password generation using a cryptographically-secure pseudo-random number generator.
- Variable-length password salting using a cryptographically-secure pseudo-random number generator.
- Password hash generation from a range of hash algorithms, although currently only SHA1-160 and SHA2-256 (both with HMAC and PKDBF2) are implemented.
- Password hash strengthening based on a specified work factor (number of hash iterations).
- Password verification against a previously-stored password/salt hash.
- Measurement of the entropy in machine-generated and human-generated passwords, where entropy is a proxy for password strength.
- Password policies that specify password min/max length, allowed character sets, and a minimum number of characters from each set.
- Hashing policies that specify the hash algorithm, storage format, work factor, and number of salt bytes.
- StackOverflow has an excellent summary of password salting, hashing, and strengthening.
Below is a screenshot of the Windows Form interface that can be used to test most of the library's functionality. Any change to one of the parameters shown is immediately reflected in a new password and/or password salt/hash.
I've open-sourced the library and an example graphical interface using the permissive MIT license. This code is now stored in a Google Code Mercurial repository. While C# and open source initially look like strange bedfellows, both the .NET Framework and Visual Studio Express are provided for free by Microsoft. I haven't tested this under Mono yet, but it's in the list of things to do, along with implementation of the remaining hash algorithms.