Set EnhancedEntropy as obsolete due to password shucking vulnerability

Author: scottbrady91

README.md

@@ -14,7 +14,7 @@ services.AddScoped<IPasswordHasher<TUser>, BCryptPasswordHasher<TUser>>();
 ### Options
 
 - **WorkFactor**: int
-- **EnhancedEntropy**: bool
+- **EnhancedEntropy**: bool *(Obsolete due to [password shucking](https://www.scottbrady91.com/Authentication/Beware-of-Password-Shucking) vulnerability)*
 
 Register with:
 

src/ScottBrady91.AspNetCore.Identity.BCryptPasswordHasher/BCryptPasswordHasher.cs

@@ -32,7 +32,9 @@ public virtual string HashPassword(TUser user, string password)
         {
             if (string.IsNullOrWhiteSpace(password)) throw new ArgumentNullException(nameof(password));
 
+#pragma warning disable 618
             return BCrypt.Net.BCrypt.HashPassword(password, options.WorkFactor, options.EnhancedEntropy);
+#pragma warning restore 618
         }
 
         /// <summary>
@@ -48,7 +50,9 @@ public virtual PasswordVerificationResult VerifyHashedPassword(TUser user, strin
             if (string.IsNullOrWhiteSpace(hashedPassword)) throw new ArgumentNullException(nameof(hashedPassword));
             if (string.IsNullOrWhiteSpace(providedPassword)) throw new ArgumentNullException(nameof(providedPassword));
 
+#pragma warning disable 618
             var isValid = BCrypt.Net.BCrypt.Verify(providedPassword, hashedPassword, options.EnhancedEntropy);
+#pragma warning restore 618
 
             if (isValid && BCrypt.Net.BCrypt.PasswordNeedsRehash(hashedPassword, options.WorkFactor))
             {

src/ScottBrady91.AspNetCore.Identity.BCryptPasswordHasher/BCryptPasswordHasherOptions.cs

@@ -1,4 +1,6 @@
-namespace ScottBrady91.AspNetCore.Identity
+using System;
+
+namespace ScottBrady91.AspNetCore.Identity
 {
     /// <summary>
     /// Options for BCryptPasswordHasher.
@@ -11,8 +13,10 @@ public class BCryptPasswordHasherOptions
         public int WorkFactor { get; set; } = 11;
 
         /// <summary>
-        /// Enables the use of SHA384 hashing prior to bcrypt hashing. Defaults to false
+        /// Enables the use of SHA384 hashing prior to bcrypt hashing. This will make you vulnerable to password shucking. Defaults to false.
+        /// https://www.scottbrady91.com/Authentication/Beware-of-Password-Shucking
         /// </summary>
+        [Obsolete("Discouraged due to vulnerability to password shucking", false)]
         public bool EnhancedEntropy { get; set; } = false;
     }
 }

src/ScottBrady91.AspNetCore.Identity.BCryptPasswordHasher/ScottBrady91.AspNetCore.Identity.BCryptPasswordHasher.csproj

@@ -13,8 +13,8 @@
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
     <IncludeSymbols>true</IncludeSymbols>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
-    <Version>1.2.0</Version>
-    <PackageReleaseNotes>Updated default work factor to 11. Added support for SuccessRehashNeeded. Updated bcrypt and ASP.NET Identity dependencies.</PackageReleaseNotes>
+    <Version>1.3.0</Version>
+    <PackageReleaseNotes>Set EnhancedEntropy as obsolete due to password shucking vulnerability</PackageReleaseNotes>
   </PropertyGroup>
 
   <ItemGroup>

test/ScottBrady91.AspNetCore.Identity.BCryptPasswordHasher.Tests/BCryptPasswordHasherTests.cs

@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Options;
 using Xunit;
+#pragma warning disable 618
 
 namespace ScottBrady91.AspNetCore.Identity.BCryptPasswordHasher.Tests
 {
@@ -50,7 +51,6 @@ public void HashPassword_WhenCalledMultipleTimesWithSamePlaintext_ExpectDifferen
         [Fact]
         public void HashPassword_WithCustomWorkFactor_ExpectVerifiableHash()
         {
-            var random = new Random();
             var password = Guid.NewGuid().ToString();
 
             options.WorkFactor = options.WorkFactor - 1;