Storing Passwords in .NET Core
Dealing with passwords is a minefield of easy mistakes that could lead to a serious security vulnerability. In this post, we’ll first look at some mistakes to avoid, and then dive into some details of how you should store passwords. In general, the best path is to use a vetted, packaged identity solution such as ASP.NET Core Identity, or skip the need to store passwords altogether with OpenID Connect to support social media logins, but for the sake of this article we’ll assume that you have a compelling reason to build your own solution.
Down The Road Of Failures
Before we build a system for securely storing passwords, we need to get familiar with the complex landscape we’re going to be journeying through. Most insecure applications are built that way because of a lack of understanding of the threats and risks. Before we get to the right way, we’ll explore some of the mistakes you can make and pitfalls to avoid.
Underestimating the Risk
For those of us not working at financial institutions, government contracts, or other high-sensitivity projects, you might find yourself asking “who would really want to steal a…