Effective password hashing is a cornerstone of application security. When implemented correctly, it protects user credentials even if an attacker gains access to your data store. When implemented poorly, it becomes a liability that can compromise an entire system.

Earlier versions of Spargine for .NET 8 included two separate password-hashing implementations: SHA256PasswordHasher and PBKDF2PasswordHasher. While both were effective in their intended use cases, maintaining multiple hashing classes was unnecessary and limited flexibility.

With the release of Spargine for .NET 10, I consolidated these implementations into a single, more powerful solution: PasswordHasher, available in the DotNetTips.Spargine.10.Core assembly and NuGet package. This unified approach simplifies usage while expanding algorithm support, allowing developers to choose the right hashing strategy based on their security requirements and performance constraints.

This article introduces the PasswordHasher class, explains why secure password hashing matters, and outlines the supported algorithms for modern .NET applications.

Why Secure Password Hashing Matters

In a previous role, a security audit flagged an application’s password-storage mechanism as insufficient. While the system technically “hashed” passwords, it failed to meet modern security standards—leaving it vulnerable to brute-force, dictionary, and rainbow-table attacks.

That experience reinforced an important lesson: hashing alone is not enough. Password hashing must be slow, salted, and resistant to modern attack techniques.

To address this, I originally created two dedicated password-hashing classes in Spargine. As cryptographic options evolved and .NET matured, it became clear that a single, extensible hasher—supporting multiple modern algorithms—was the better long-term solution. The result is PasswordHasher.

Supported Hashing Algorithms

PasswordHasher supports a wide range of cryptographic hashing algorithms, allowing developers to balance security strength, performance, and compatibility.

Argon2

Argon2 is a modern, memory-hard password hashing algorithm and the winner of the Password Hashing Competition. It is designed to resist GPU and ASIC attacks by consuming significant memory and CPU resources.
Recommended for new applications requiring maximum security.

PBKDF2

PBKDF2 (Password-Based Key Derivation Function 2) is a widely adopted, standards-based algorithm supported across many platforms. It applies repeated hashing iterations to slow down brute-force attacks.
A strong, well-understood choice for enterprise and legacy compatibility scenarios.

SHA256

SHA-256 is a fast cryptographic hash function. When used for passwords, it must always be combined with a unique salt.
Best suited for non-interactive hashing scenarios or compatibility needs—not ideal as a standalone password hasher.

SHA3-256

SHA3-256 is part of the SHA-3 family and is structurally different from SHA-2 algorithms. It offers strong cryptographic guarantees and resistance to certain attack classes affecting older designs.
A solid modern alternative to SHA-256 when speed and cryptographic diversity are desired.

SHA3-384

SHA3-384 provides a longer hash output than SHA3-256, increasing collision resistance.
Useful when higher security margins are required.

SHA3-512

SHA3-512 delivers the strongest collision resistance in the SHA-3 family with the largest output size.
Best for high-security environments where performance impact is acceptable.

SHAKE128

SHAKE128 is an extendable-output function (XOF), allowing variable-length hashes.
Useful for advanced cryptographic scenarios requiring flexible output sizes.

SHAKE256

SHAKE256 offers the same flexibility as SHAKE128 but with higher security strength.
Ideal for future-proof cryptographic designs needing adaptable hash lengths.

No matter which algorithm you choose, PasswordHasher provides a consistent API and built-in salting support, allowing you to focus on security—not implementation details.

PasswordHasher

The PasswordHasher class provides a unified, easy-to-use API for hashing and verifying passwords using the selected algorithm. It automatically incorporates salting and standardizes how hashes are produced and validated across algorithms.

This design eliminates duplicated logic, reduces configuration errors, and ensures consistent behavior throughout your application.

Methods

• HashPassword(string password, HashAlgorithmType algorithmType)
  Hashes the specified plain-text password using the selected hashing algorithm and a unique salt.
• VerifyHashedPassword(string hashedPassword, string password, HashAlgorithmType algorithmType)
  Verifies that the provided plain-text password matches the stored hashed password using the specified hashing algorithm.

Hashing Performance

The following benchmarks illustrate the relative performance cost of hashing passwords using the algorithms supported by PasswordHasher. All values represent the average time required to hash a single password.

• Argon2: 36,900,139.5 ns
• PBKDF2: 57,489,778.5 ns
• SHA-256: 1,039.3 ns
• SHA3-256: 832.7 ns
• SHA3-384: 870.4 ns
• SHA3-512: 824.0 ns
• SHAKE128: 822.7 ns
• SHAKE256: 834.7 ns

These results clearly demonstrate the tradeoff between security strength and performance. Memory-hard and iteration-based algorithms such as Argon2 and PBKDF2 are intentionally slow to defend against brute-force and hardware-accelerated attacks. In contrast, SHA-2, SHA-3, and SHAKE algorithms are extremely fast, making them unsuitable as standalone password hashers unless additional protections are applied.

When selecting a hashing algorithm, performance should never be the primary concern. Slower hashes significantly increase the cost of an attack while having a negligible impact on legitimate authentication workflows. Choose the strongest algorithm your application can reasonably support—and plan your security strategy accordingly.

Summary

Secure password hashing is not optional—it is a fundamental requirement for any modern application that handles user credentials. With PasswordHasher, Spargine provides a flexible, future-proof solution that supports both industry-standard and cutting-edge hashing algorithms through a single, consistent API.

By consolidating multiple implementations into one extensible class, PasswordHasher simplifies secure password management while giving developers the freedom to choose the right algorithm for their specific needs. Whether you prioritize maximum security with Argon2, standards compliance with PBKDF2, or cryptographic versatility with SHA-3 and SHAKE algorithms, Spargine has you covered. If you care about security, performance, and clean design in your .NET applications, PasswordHasher is the right tool for the job.

Pick up any books by David McCarter by going to Amazon.com: http://bit.ly/RockYourCodeBooks

If you liked this article, please buy David a cup of Coffee by going here: https://www.buymeacoffee.com/dotnetdave

© The information in this article is copywritten and cannot be preproduced in any way without express permission from David McCarter.