0

I am currently using the inbuilt .NET 5 Identity CreateAsync() to create new user accounts. This is meant to take their passwords, hash them and then salt them. Does .NET 5 CreateAsync() method use SHA1, SHA256, or SHA512 and does it salt them?

GolfBravo
  • 837
  • 2
  • 12
  • 23
  • FYI: https://github.com/dotnet/aspnetcore/blob/b56bb17db3ae73ce5a8664a2023a9b9af89499dd/src/Identity/Extensions.Core/src/PasswordHasher.cs – ProgrammingLlama May 23 '22 at 14:24
  • 1
    .NET 5 is already out of support. You should be migrating to .NET 6, the Long-Term-Support version that will be supported until 2024. .NET 5 was a "current", ie single-year version. The lifecycle was announces years ago, when .NET 3 was released – Panagiotis Kanavos May 23 '22 at 14:33

1 Answers1

2

Per the PasswordHasher source code for .NET 5.0.17:

     /* =======================
     * HASHED PASSWORD FORMATS
     * =======================
     *
     * Version 2:
     * PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
     * (See also: SDL crypto guidelines v5.1, Part III)
     * Format: { 0x00, salt, subkey }
     *
     * Version 3:
     * PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.
     * Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey }
     * (All UInt32s are stored big-endian.)
     */

NOTE: .NET 5 is no longer under support as of May 10, 2022, so there will be no security patches. You should upgrade to .NET 6+ ASAP.

NightOwl888
  • 55,572
  • 24
  • 139
  • 212
  • Thank you. so version 2 uses sha1, but version 3 uses sha256. How do I ensure that I am on version 3 and not on 2? – GolfBravo May 23 '22 at 14:31
  • See [How to set PasswordHasherCompatibilityMode.IdentityV3 in ASP.NET 5 Identity?](https://stackoverflow.com/questions/36394898/how-to-set-passwordhashercompatibilitymode-identityv3-in-asp-net-5-identity) – NightOwl888 May 23 '22 at 14:32
  • @GolfBravo If you look at the top of the code file that was linked to, it shows how it chooses. Remember, when you're dealing with open source code, you can just go look to satisfy your curiousity. – mason May 23 '22 at 14:33
  • Many thanks, Just saw in NightOwl888 answer that if the password hash starts with the char letter "A" 0x01, then it's version 3, which is SHA256, and 0x00 is version 2, SHA1. The current passwords are showing the start letter as A. – GolfBravo May 23 '22 at 15:12