The compare function of PBKDF2 uses Math.Min to check which string is the shortest to prevent index out of bounds exceptions. However, if the two strings are not of an equal length but the longer string starts with the shorter string, the function returns true:

var pbkdf2 = new PBKDF2();
var ret = pbkdf2.Compare("foo", "foobar");
// ret is now true

To fix this, the result variable should not be initialized by 0, but by the result of a string length comparison:

int result = passwordHash1.Length ^ passwordHash2.Length;

Can you make this package available for .NET Core? Currently it's giving error. I've made my own implementation meanwhile.

Package SimpleCrypto 0.3.30.26 is not compatible with netcoreapp1.0 (.NETCoreApp,Version=v1.0).
Package SimpleCrypto 0.3.30.26 supports: net (.NETFramework,Version=v0.0)
One or more packages are incompatible with .NETCoreApp,Version=v1.0.

Here is what I use meanwhile: https://www.nuget.org/packages/SimpleCrypto.NetCore
Source: https://gitlab.com/stanislavromanov/SimpleCrypto.NetCore

hi,
i attempted to use SimpleCrypto.NET to generate hashes that are used on another platform (node) and found number of discrepancies (known password and salt should produce same results across platforms assuming that same digest algorithm and key size is used).

1. salt is prefixed with number of iterations which makes sense however the [xxxx.] prefix should not be used - explanation below....
2. salt string to byte conversion is performed using Encoding.UTF8.GetBytes(Salt) which is not the correct way of decoding base64 string (compare with new Buffer(salt, 'base64') in JS). Convert.FromBase64String should be used instead, but you'd need to split the number of iterations from actual base64 salt to do so.

I'd also add support for hex string input / output as well. would you consider a pull request?

A major issue is that you are pulling 64 bytes from deriveBytes, which is very expensive for almost no additional gain. You should be pulling a maximum of 20 bytes. This is causing your routine to run ~4x slower (each 20 bytes doubles costs. and you eat an entire x to generate those last 4 bytes), for no additional security gain (as attackers can generate only the first 20 bytes, and once they get a match there, calculate the remaining bytes)

See
https://stackoverflow.com/questions/14394803/how-can-pbkdf2-using-hmac-sha-1-return-more-than-20-bytes

or
https://www.owasp.org/index.php/Using_Rfc2898DeriveBytes_for_PBKDF2

"Using PBKDF2 for password storage, one should never output more bits than the base hash function's size. With PBKDF2-SHA1 this is 160 bits or 20 bytes. Output more bits doesn't make the hash more secure, but it costs the defender a lot more time while not costing the attacker. An attacker will just compare the first hash function sized output saving them the time to generate the reset of the PBKDF2 output"

FWIW, it seems that the code below is not needed.

Cheers.

//convert the plain text into a byte array
byte[] plainTextBytes = Encoding.UTF8.GetBytes(PlainText);

        // Allocate array, which will hold plain text and salt.
        byte[] plainTextWithSaltBytes =
                new byte[plainTextBytes.Length + saltBytes.Length];

        // Copy plain text bytes into resulting array.
        for (int a = 0; a < plainTextBytes.Length; a++)
            plainTextWithSaltBytes[a] = plainTextBytes[a];

        // Append salt bytes to the resulting array.
        for (int a = 0; a < saltBytes.Length; a++)
            plainTextWithSaltBytes[plainTextBytes.Length + a] = saltBytes[a];

FYI, that RandomPasswordGenerator code you borrowed has a MASSIVE limitation.

Because it seeds the Random() on each call, there are only 2 billion unique passwords that it will generate with same password parameters.

Ironically, the code uses RNGCrypto only to generate the seed, which then sets the System.Random object into a predictable state. The comment above it says "now this is real randomization" :S

Below is a test that demonstrates the issue. Due to the birthday paradox, we get a collision usually around the 50k mark.

The easiest fix is to make the Random object static, but since this is a crypto library, the better solution would be to use RNGCyrpto to generate the password instead of System.Random.

    [Test]
    public void RandomPassword_Actually_Generates_Random_Passwords()
    {
        HashSet<string> passwords = new HashSet<string>();
        for (int i = 0; i < int.MaxValue; i++)
        {
            string password = RandomPassword.Generate(100, 100);
            if (passwords.Contains(password))
            {
                Assert.Fail("Password collision after " + i + " iterations");
            }
            passwords.Add(password);
        }
    }

First off, great library. Thanks so much for putting this together and for all the efforts I know must've gone into this.

Noticed something interesting today. If running a comparison of a previously hashed password against a string.empty the operation returns true.

Ex:

cryptoService.Compare(potentialUser.Password, string.Empty) == true;

Is there a way to get the password value back, after having it encrypted?

First of all i want to thank you for this great and clear implementation.
I wanted you just to know that there is no point in having large salts. 16 bytes salt is sufficient. Also 100000 is good if you're using it locally, on a server it will cost a lot. From what i read, in a production environment, you should use 20000 iterations.

Can you publish signed version to nuget, please?