I am currently using the inbuilt .NET 5 Identity CreateAsync() to create new user accounts. This is meant to take their passwords, hash them and then salt them. Does .NET 5 CreateAsync() method use SHA1, SHA256, or SHA512 and does it salt them?
CodePudding user response:
Per the PasswordHasher source code for .NET 5.0.17:
/* =======================
* HASHED PASSWORD FORMATS
* =======================
*
* Version 2:
* PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
* (See also: SDL crypto guidelines v5.1, Part III)
* Format: { 0x00, salt, subkey }
*
* Version 3:
* PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.
* Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey }
* (All UInt32s are stored big-endian.)
*/
NOTE: .NET 5 is no longer under support as of May 10, 2022, so there will be no security patches. You should upgrade to .NET 6 ASAP.