Home > OS >  Does .NET 5 Identity CreateAsync() use sha512 for hashing and salting
Does .NET 5 Identity CreateAsync() use sha512 for hashing and salting

Time:05-24

I am currently using the inbuilt .NET 5 Identity CreateAsync() to create new user accounts. This is meant to take their passwords, hash them and then salt them. Does .NET 5 CreateAsync() method use SHA1, SHA256, or SHA512 and does it salt them?

CodePudding user response:

Per the PasswordHasher source code for .NET 5.0.17:

     /* =======================
     * HASHED PASSWORD FORMATS
     * =======================
     *
     * Version 2:
     * PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
     * (See also: SDL crypto guidelines v5.1, Part III)
     * Format: { 0x00, salt, subkey }
     *
     * Version 3:
     * PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.
     * Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey }
     * (All UInt32s are stored big-endian.)
     */

NOTE: .NET 5 is no longer under support as of May 10, 2022, so there will be no security patches. You should upgrade to .NET 6 ASAP.

  • Related