What Algorithm does ASP.NET Core Identity Use to Hash Passwords

Your security auditor asks you about the method and algorithm you use to store passwords in your ASP.NET Core applications. If you use ASP.NET Core Identity you know that it does all the password storage stuff and you don't specify anywhere what algorithm should be used to store passwords. Now you look at the database tables and see weird strings in PasswordHash field of AspNetUsers table. You breathe a sigh of relief that the password is not stored in plain text - the guys at Microsoft are smart! But you still don't know what algorithm was used to convert the passwords to those weird looking characters.

Good news is that ASP.NET Core is open source. So you can directly look at the source code to answer your questions. The class which does the hashing is called PasswordHasher. If you look at its source code here you can see in the comments that it supports two hashed password formats.

/* =======================
 * HASHED PASSWORD FORMATS
 * =======================
 * 
 * Version 2:
 * PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
 * (See also: SDL crypto guidelines v5.1, Part III)
 * Format: { 0x00, salt, subkey }
 *
 * Version 3:
 * PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.
 * Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey }
 * (All UInt32s are stored big-endian.)
 */

If you have written a new application the passwords will be hashed using PBKDF2 with the parameters as specified in Version 3. Version 2 was used by older .NET frameworks and it is still present in the class for backward compatibility. So if you have migrate your database from an older version your users will still be able to login.

About the Author

Salil Ponde is software developer, blogger and DevOps enthusiast.
He has over 11 years of experience in the industry.