Best Practices for Secure Password Hashing in .NET

Passwords are the cornerstone of user authentication in nearly every application. Whether you’re building a small website or a large enterprise system, handling passwords securely is critical to protecting your users and your application from attacks. Unfortunately, many breaches and hacks occur because passwords are stored or managed insecurely. As a .NET developer, understanding and applying best practices for password handling is essential.

This post aims to provide a clear, beginner-friendly guide on password security, focusing on secure password hashing in .NET projects. We’ll explore fundamental concepts, best practices, and step-by-step examples that you can implement right away.

Why Password Security Matters

When users create accounts on your application, they trust you to keep their credentials safe. If attackers gain access to your database and passwords are not properly protected, all of your users' accounts could be compromised. The consequences may include:

• Account Takeover: Attackers can access user accounts, impersonate them, or steal sensitive information.
• Credential Stuffing: If users reuse passwords across sites (which many do), attackers can try those passwords elsewhere.
• Reputational Damage: Data breaches lead to lost trust, negative publicity, and potential legal consequences.

Real-world Breaches

Many notable breaches (LinkedIn, Adobe, and others) happened because passwords were stored insecurely, often as plain text or using weak hashing algorithms. Don’t make the same mistake.

Common Mistakes in Password Storage

Before diving into the right way, let’s clarify what not to do:

• Storing passwords in plain text.
• Using reversible encryption.
• Using fast hash functions (like MD5, SHA1, SHA256) without additional protection.
• Not using a salt.
• Using the same salt for all passwords.

Each of these mistakes leaves user data vulnerable if your database is compromised.

What Is Hashing?

Hashing is a one-way function that converts data (like a password) into a fixed-length string of characters, which is typically a sequence of numbers and letters.

• One-way: You cannot revert the hash back to the original password.
• Deterministic: The same input always produces the same hash.
• Fixed Length: Output is always the same size, regardless of input.

Example

using System.Security.Cryptography;
using System.Text;

string password = "SuperSecret123";
using (var sha256 = SHA256.Create())
{
    byte[] bytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(password));
    string hash = Convert.ToBase64String(bytes);
    Console.WriteLine(hash);
}

Warning: This is NOT secure for password storage, as explained below.

Why Not Use Simple Hash Functions?

Hash functions like MD5, SHA1, and SHA256 are designed for speed. They’re great for data integrity checks but not for password storage.

Why?

• Speed: Attackers can perform billions of hash computations per second, making brute-force attacks feasible.
• No Salt: Identical passwords will have identical hashes, making it easier for attackers to use precomputed tables (rainbow tables).

Conclusion: Never use plain cryptographic hash functions for passwords.

Best Practices for Password Hashing

To securely store passwords, you need to:

1. Use a Slow, Adaptive Hash Algorithm: Such as PBKDF2, bcrypt, scrypt, or Argon2.
2. Generate a Unique Salt for Each Password: A salt is random data that is added to the password before hashing.
3. Store the Salt with the Hash: So you can verify the password later.
4. Tune the Work Factor: Adjust parameters to balance security and performance.
5. Never Store the Plain Password or Reversible Encryption.
6. Consider Using a Library or Framework: Avoid writing your own hashing logic when possible.

Password Hashing in .NET: Modern Approaches

.NET provides robust, built-in support for secure password storage. Let’s look at recommended approaches:

1. Use ASP.NET Core Identity

If you’re using ASP.NET Core, the Identity system handles password hashing securely out-of-the-box, using PBKDF2.

2. Use PasswordHasher<TUser>

This class is part of Microsoft.AspNetCore.Identity and handles all details of hashing, salting, and parameter tuning.

3. Use Rfc2898DeriveBytes (PBKDF2) directly

For custom solutions or non-ASP.NET Core projects, you can use PBKDF2 via Rfc2898DeriveBytes.

Step-by-Step Example: Password Hashing in .NET

Let’s walk through a practical example using Rfc2898DeriveBytes. This is useful if you’re not using ASP.NET Core Identity.

1. Hashing a Password

using System.Security.Cryptography;
using System.Text;

public class PasswordHasher
{
    // Configuration: adjust as needed
    private const int SaltSize = 16; // 128 bit
    private const int KeySize = 32;  // 256 bit
    private const int Iterations = 100_000; // Increase as hardware allows

    public static string Hash(string password)
    {
        // Generate a random salt
        using var rng = RandomNumberGenerator.Create();
        byte[] salt = new byte[SaltSize];
        rng.GetBytes(salt);

        // Derive the key (hash)
        using var pbkdf2 = new Rfc2898DeriveBytes(password, salt, Iterations, HashAlgorithmName.SHA256);
        byte[] hash = pbkdf2.GetBytes(KeySize);

        // Combine salt + hash for storage
        var result = new byte[SaltSize + KeySize];
        Buffer.BlockCopy(salt, 0, result, 0, SaltSize);
        Buffer.BlockCopy(hash, 0, result, SaltSize, KeySize);

        // Store as Base64 string
        return Convert.ToBase64String(result);
    }

    public static bool Verify(string password, string hashed)
    {
        var stored = Convert.FromBase64String(hashed);

        // Extract salt
        var salt = new byte[SaltSize];
        Buffer.BlockCopy(stored, 0, salt, 0, SaltSize);

        // Extract hash
        var hash = new byte[KeySize];
        Buffer.BlockCopy(stored, SaltSize, hash, 0, KeySize);

        // Hash the input password with the same salt
        using var pbkdf2 = new Rfc2898DeriveBytes(password, salt, Iterations, HashAlgorithmName.SHA256);
        byte[] hashToCompare = pbkdf2.GetBytes(KeySize);

        // Compare hashes in constant time
        return CryptographicOperations.FixedTimeEquals(hash, hashToCompare);
    }
}

2. Usage Example

string password = "MyPa$$word!";

// Hash the password for storage
string hash = PasswordHasher.Hash(password);
Console.WriteLine($"Hashed: {hash}");

// Later, verify the password from input
bool isValid = PasswordHasher.Verify("MyPa$$word!", hash);
Console.WriteLine($"Is valid: {isValid}");

3. Explanation

• SaltSize and KeySize: The salt is random data to ensure unique hashes for identical passwords. The key (hash) size should be large enough for security.
• Iterations: Increasing this number makes hashing slower, which is good for security but can affect performance.
• Hashing: PBKDF2 is intentionally slow and resistant to brute-force attacks.
• Verification: When a user logs in, you retrieve the stored hash, extract the salt, hash the input password with the same salt and iterations, and compare the results.

Additional Security Considerations

1. Use a Strong Password Policy

• Require a minimum length (at least 8, preferably 12+).
• Encourage or require a mix of uppercase, lowercase, numbers, and symbols.
• Consider using password strength meters in your UI.

2. Protect Against Brute Force

• Use account lockouts or exponential back-off after failed login attempts.
• Monitor for unusual login patterns.

3. Always Use HTTPS

Passwords should never travel over plaintext HTTP. Always encrypt data in transit.

4. Use Multi-Factor Authentication (MFA)

MFA dramatically increases security by requiring a second form of verification.

5. Regularly Update Dependencies

Keep your libraries and frameworks up-to-date to patch vulnerabilities.

6. Never Log Plaintext Passwords

Don’t write passwords to logs, error messages, or analytics.

7. Use Built-In Libraries When Possible

The .NET Identity framework is updated and maintained by security experts. Prefer using it over rolling your own unless you have a strong reason.

Common Mistakes to Avoid

• Rolling your own crypto: Always use well-tested libraries
• Using insufficient work factors - Regularly increase as hardware improves
• Storing hashes improperly - Ensure your database field is large enough
• Logging passwords - Never log passwords or password hashes
• Using the same salt for all users - Each password needs a unique salt

Summary

Implementing secure password hashing in .NET is straightforward when you use the right tools and follow best practices. Whether you choose ASP.NET Core Identity's built-in hasher, PBKDF2, or BCrypt, the most important thing is to avoid storing passwords in plain text and to use algorithms specifically designed for password hashing. Key Takeaways:

• Never store passwords in plain text or use reversible encryption.
• Always use a slow, salted, adaptive hash function.
• Prefer built-in solutions like ASP.NET Core Identity when possible.
• Implement strong password policies and additional security layers (like MFA).
• Stay informed and keep dependencies updated.

By following these best practices, you can help ensure your users’ passwords—and your reputation—stay safe.

Related Articles on Our Blog

If you found this guide helpful, you might also enjoy these in-depth articles on our website:

• Domain Driven Design in .NET: From Concept to Implementation
• MediatR in .NET: A Complete Guide with Real Examples and Clean Architecture
• Mastering Caching in .NET: Ultimate Guide to Blazing Fast, Scalable, and Cost-Effective Applications

References

• OWASP Password Storage Cheat Sheet
• Microsoft Docs: Secure Password Authentication
• NIST Digital Identity Guidelines
• PasswordHasher Class (Microsoft.AspNetCore.Identity)
• CryptographicOperations.FixedTimeEquals