SledgeHammer SledgeHammer - 3 months ago 45
C# Question Core PasswordHasher<T> issue

I have a need to store usernames and passwords in the database. Passwords should obviously be encrypted. We do have some older code that some of our other websites use to encrypt the password, but I'm not sure if that's secure.

I was looking into using the Core PasswordHasher class.

I'm using it as follows:

PasswordHasher<string> pw = new PasswordHasher<string>();

string s1 = pw.HashPassword("Bob", "Apple");
string s2 = pw.HashPassword("Bob", "Apple");

var v1 = pw.VerifyHashedPassword("Bob", s1, "Apple");
var v2 = pw.VerifyHashedPassword("Bob", s2, "Apple");

Both v1 and v2 are successful, but for some reason s1 and s2 are NOT equal (random salt perhaps?).

Is PasswordHasher tied to a machine in any way? App will be running in a web farm, so it should be machine independent and verify across all machines in the farm.

Is this a cryptographically secure way of storing passwords?

  • Each hash has a cryptographically secure salt.
  • The salt is prepended to the hash.
  • It is not linked to the machine in any way.

Under the hood it uses PBKDF2, with SHA256 and 10,000 iterations, unless you use V2 compatibility (don't use V2 compatibility unless you have to)

You can use the raw function it calls into, if you don't want to pull in Identity, but you should stick to the same algorithms and iteration counts.