I am wondering wether the Password Hasher that is default implemented in the UserManager that comes with MVC 5 and ASP.NET Identity Framework, is secure enough? And if so, if you could explain to me how it works?
IPasswordHasher interface looks like this:
public interface IPasswordHasher
{
string HashPassword(string password);
PasswordVerificationResult VerifyHashedPassword(string hashedPassword,
string providedPassword);
}
As you can see, it doesn’t take a salt, but it is mentioned in this thread: “Asp.net Identity password hashing”
that it does infact salt it behind the scenes. So I am wondering how does it do this? And where does this salt come from?
My concern is that the salt is static, rendering it quite insecure.