I have a need to store usernames and passwords in the database. Passwords should obviously be encrypted. We do have some older code that some of our other websites use to encrypt the password, but I'm not sure if that's secure.
I was looking into using the Asp.net Core PasswordHasher class.
I'm using it as follows:
PasswordHasher<string> pw = new PasswordHasher<string>();
string s1 = pw.HashPassword("Bob", "Apple");
string s2 = pw.HashPassword("Bob", "Apple");
var v1 = pw.VerifyHashedPassword("Bob", s1, "Apple");
var v2 = pw.VerifyHashedPassword("Bob", s2, "Apple");
Under the hood it uses PBKDF2, with SHA256 and 10,000 iterations, unless you use V2 compatibility (don't use V2 compatibility unless you have to)
You can use the raw function it calls into, if you don't want to pull in Identity, but you should stick to the same algorithms and iteration counts.