0

I'm new to developing with MVC. I created a ASP.NET Core web application (MVC) in Visual Studio with Individual User accounts stored in app. I created a database for the app in SQL server, updated the connection string, and ran Update-Database in the NuGet package. This created the associated authentication (and authorization?) tables in the db. My question is this - how does the authentication process work in regards to hashing the password for user accounts? Does core 2.0 have specific middleware that handles that? Does each user get their own salt? How strong is it? Not sure if this is needed but I'm using CS 2017 15.5.6, .NET v 4.7.

NightOwl888
  • 55,572
  • 24
  • 139
  • 212
user6383418
  • 395
  • 1
  • 4
  • 19
  • 1
    Here's a good overview: https://stackoverflow.com/questions/20621950/asp-net-identity-default-password-hasher-how-does-it-work-and-is-it-secure – ChickenMilkBomb Feb 02 '18 at 17:11
  • Just a note: if you’re using .NET 4.7 you’re not using .NET Core. ASP.NET Core is a different thing. It’s confusing naming. – Sami Kuhmonen Feb 02 '18 at 17:11
  • Thank you! That link did help and so did this one which will help me increase the security [https://code.msdn.microsoft.com/ASPNET-45-MVC5-Custom-1a94ab26 ](https://code.msdn.microsoft.com/ASPNET-45-MVC5-Custom-1a94ab26) - Yes it is confusing naming. Why is it a Core web application then? How do I tell what version of MVC I am using? – user6383418 Feb 02 '18 at 17:28
  • All of this can be answered (probably much faster than getting an answer here) by analyzing the Identity source code. [HashPasswordV3](https://github.com/aspnet/Identity/blob/85f8a49aef68bf9763cd9854ce1dd4a26a7c5d3c/src/Core/PasswordHasher.cs#L139-L154) is the default password hashing method. Of course, the whole framework is pluggable and you could replace this implementation just by subclassing it or implementing `IPasswordHasher` yourself if you are not happy with the hashing algorithm. – NightOwl888 Feb 02 '18 at 17:28
  • "ASP.NET MVC" refers to the older framework that only runs on .NET Framework. "ASP.NET Core" is the newer framework that runs on both .NET Framework and .NET Core. Technically there is no such thing as "MVC" or "Web Api" in ASP.NET Core. It's just ASP.NET Core. It's called "Core" because it began as a re-imagining of ASP.NET for .NET Core. However, as .NET Core is basically a subset of .NET Framework, something that works in .NET Core most works in .NET Framework as well. However, the only real reason to target .NET Framework is if you're using libraries not supported in .NET Core. – Chris Pratt Feb 02 '18 at 18:08
  • Otherwise, you should just use .NET Core. And, with .NET Core 2.0 supporting most of what's in .NET Framework now, there's little reason to target .NET Framework at all, unless you have Windows-specific functionality or are utilizing libraries that do. – Chris Pratt Feb 02 '18 at 18:09
  • I guess I'm still a little confused. Following the methods above, I am using Core right? I put .NET 4.7 because thats what was in Help > About. Further research suggests that the core identity password hasher is in fact PBKDF2. How do I ensure that is actually was is being used to hash? I guess if I dont even know what I am using, I dont know what is being used to hash :( but I need to be using PBKDF2 or bcrypt – user6383418 Feb 02 '18 at 18:39

0 Answers0