Spargine is a set of open-source assemblies and NuGet packages for .NET 8, developed and maintained by me since the release of .NET 2. These assemblies are integral to my projects and are currently in production at my company. You can access the source code and NuGet packages through the following links:

• GitHub: Spargine Releases
• NuGet: dotNetDaveNuGet

Effective password hashing is essential for application security, helping ensure that password data remains protected. The SHA256PasswordHasher class in the DotNetTips.Spargine.8.Core assembly is designed for precisely this purpose, enabling secure password hashing and verification. This article introduces the class, discusses its features, and provides examples of how to use it for secure password management in .NET applications.

Background: Why Secure Password Hashing Matters

In my previous role with a company, a security audit flagged their existing password hashing mechanism as insufficiently secure. I took on the challenge of finding a secure, optimized approach to password hashing in .NET, leading to the development of the SHA256PasswordHasher class.

Why SHA-256?

SHA-256, part of the SHA-2 cryptographic hash function family developed by the National Security Agency (NSA), generates a unique, fixed 256-bit (32-byte) hash for any input, commonly referred to as the “digest.” SHA-256 offers strong data integrity verification and is a widely accepted standard for secure password storage due to its resilience against collision attacks, though collisions are theoretically possible but highly improbable.

Introducing the SHA256PasswordHasher Class

To address the need for secure password hashing, I designed the SHA256PasswordHasher class. This class leverages SHA-256 for hashing while incorporating a unique salt for each password to safeguard against dictionary and rainbow table attacks. The result is a straightforward, high-performance solution for password hashing in .NET applications.

Key Methods

The SHA256PasswordHasher class offers two primary methods for hashing and verifying passwords:

HashPassword()

The HashPassword() method creates a secure hash of the specified password with a unique salt and returns the result as a Base64-encoded string. This function:

• Generates a new salt for each password.
• Hashes the password with SHA-256 using the salt.
• Combines the salt and hash into a Base64 string, ensuring that each stored password has a unique salt, enhancing security.

Usage Example:

string password = "TestPassword";

string hashedPassword = SHA256PasswordHasher.HashPassword(password);

VerifyHashedPassword()

The VerifyHashedPassword() method checks a hashed password against a provided plaintext password. It returns a PasswordVerificationResult enum, which includes Failed, Success, and SuccessRehashNeeded.

Usage Example:

string password = "TestPassword";

string hashedPassword = "AfVoz2bJNOEnSZ+VZZyc7D5uQ4uyigHNqZx+ZfBfQsj2DkEi6YdqVUpkwPEJhGXW1g==";

PasswordVerificationResult result = SHA256PasswordHasher.VerifyHashedPassword(hashedPassword, password);

Properties

The SHA256PasswordHasher class includes properties to assist developers in managing hashing details and versions:

• HashAlgorithmName: Returns “SHA256”.
• SaltSize: Specifies the salt size, which is 16 bytes by default.
• Version: Indicates the version of the hashing algorithm in use (currently 1), allowing future updates or alternative hashing strategies.

Future-Proofing Password Security

These properties, such as Version, can support future adjustments in hashing methods or settings. As security standards evolve, this flexibility can help ensure that your password storage mechanism remains robust.

If your application needs a secure and easy-to-implement solution for password hashing, I encourage you to try the SHA256PasswordHasher. It combines high security with performance optimizations, making it a strong choice for any .NET application.

Using the Right Tools for Securing Sensitive Data

After the release of this article, I received an email inquiring whether the SHA256PasswordHasher could be used to encrypt sensitive text, such as API keys stored in a database or connection strings saved in machine settings.

The answer is no, as hashing is inherently a “one-way” process designed for verification, not encryption or decryption.

For scenarios requiring encryption and decryption, you can instead use the SimpleSHA256Encrypt() and SimpleSHA256Decrypt() methods. These are part of the EncryptionHelper class, included in the DotNetTips.Spargine.8.Core assembly. These methods are specifically designed to securely encrypt and decrypt data, making them ideal for safeguarding sensitive information in your applications.

Summary

I am confident that these enhanced methods in Spargine will greatly benefit your projects by improving performance and reliability. Detailed benchmark results are available on GitHub. The success of open-source projects like Spargine depends significantly on community involvement. If you find these updates useful or have ideas for further improvements, I encourage you to contribute. Whether by submitting a pull request, reporting issues, or suggesting new features, your input is invaluable.

Together, we can continue to make Spargine a powerful and essential tool for the .NET community. Your feedback and suggestions are highly appreciated, so please share them in the comments section.

If you are interested in contributing to this project or have any questions, feel free to contact me via email at dotnetdave@live.com. Your support and collaboration are greatly appreciated!

Thank you for your support, and happy coding!

Pick up any books by David McCarter by going to Amazon.com: http://bit.ly/RockYourCodeBooks

If you liked this article, please buy David a cup of Coffee by going here: https://www.buymeacoffee.com/dotnetdave

© The information in this article is copywritten and cannot be preproduced in any way without express permission from David McCarter.