UserManager.CreateAsync Default Hash used in MVC 5.2.2.0

Question

Is the Password hashed when this is executed? UserManager.CreateAsync(user, model.Password);. If so, how is the hashing done in a MVC 5 version 5.2.2.0 project done by default? Is it still SHA1 + salt + base64. Something similar this?:

internal string EncodePassword(string pass,  string salt)
{
   byte[] bytes = Encoding.Unicode.GetBytes(pass);
   byte[] src = Convert.FromBase64String(salt);
   byte[] dst = new byte[src.Length + bytes.Length];
   byte[] inArray = null;
   Buffer.BlockCopy(src, 0, dst, 0, src.Length);
   Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

   HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
   inArray = algorithm.ComputeHash(dst);

   return Convert.ToBase64String(inArray);
}

possible duplicate of [Asp.net Identity password hashing](http://stackoverflow.com/questions/19957176/asp-net-identity-password-hashing) — Erik Philips, Oct 16 '14 at 03:50
Thanks for the responses. I don't see IPasswordHasher anywhere in my project so is it implemented automatically when I create a new user? — BrettKB, Oct 16 '14 at 21:10
So... is the implication from these comments mean that `CreateAsync` utilizes `PasswordHasher`, which in turn is salting and hashing the password? If so, what is the salt and where is it stored? SecurityStamp? — Ellesedil, May 09 '16 at 23:55

score 4 · Answer 1 · answered Jun 12 '18 at 19:59

This is the password hashing method.

    public string HashPassword(string password)
    {
        byte[] salt;
        byte[] buffer2;
        if (password == null)
        {
            throw new ArgumentNullException("password");
        }
        using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, 0x10, 0x3e8))
        {
            salt = bytes.Salt;
            buffer2 = bytes.GetBytes(0x20);
        }
        byte[] dst = new byte[0x31];
        Buffer.BlockCopy(salt, 0, dst, 1, 0x10);
        Buffer.BlockCopy(buffer2, 0, dst, 0x11, 0x20);
        return Convert.ToBase64String(dst);
    }

I wish I could give this a higher rating than just one. – pennyrave May 06 '20 at 14:10 — pennyrave, May 06 '20 at 14:10

UserManager.CreateAsync Default Hash used in MVC 5.2.2.0

1 Answers1