The first line of defense in each application is a password. Inadequate storage can result in catastrophic breaches. If used properly, ASP.NET Core Identity provides a safe, industry standard solution.

How Passwords Are Stored in ASP.NET Core?
Passwords are stored by ASP.NET Core Identity using:

  • The hashing algorithm PBKDF2
  • Per-user salt at random
  • Over 10,000 iterations
  • IdentityV3 password hash is a secure format.

This guarantees that no two passwords result in the same hash.

Never Store Plain Text Passwords
Example of what not to do:
user.Password = model.Password; //Insecure way of storing password

If your database gets leaked, all passwords are exposed.

Use Identity Password Hasher
ASP.NET Core Identity automatically hashes passwords:
await _userManager.CreateAsync(user, model.Password);

If you're building a custom user system:
var hashedPassword = _passwordHasher.HashPassword(user, password);

Verification
_passwordHasher.VerifyHashedPassword(user, hashedPassword, providedPassword);

Password Salting
Salt is a random string added before hashing to prevent:

  • Rainbow table attacks
  • Hash collisions

ASP.NET Core Identity generates salt automatically. No need to manage it yourself.

Password Peppering
Pepper is a secret stored outside the DB (in environment variables / Key Vault). It’s an optional extra security.

Example
string pepper = config["PasswordPepper"];
string passwordWithPepper = password + pepper;
var hash = _passwordHasher.HashPassword(user, passwordWithPepper);

Use only in custom implementations—not required for Identity. 

Password Strength Requirements
Configure password policy:
builder.Services.Configure<IdentityOptions>(options =>
{
    options.Password.RequireDigit = true;
    options.Password.RequireLowercase = true;
    options.Password.RequireUppercase = true;
    options.Password.RequiredLength = 8;
});

Force Users to Change Password Regularly
Store last password change date and enforce:
if(user.LastPasswordChangeDate < DateTime.UtcNow.AddMonths(-3))
{
    return Redirect("/Account/ForceChangePassword");
}

Prevent Password Reuse
Store password history hashes:
var oldHashes = await _db.PasswordHistory
    .Where(x => x.UserId == user.Id)
    .Select(x => x.HashedPassword)
    .ToListAsync();

Reject if match
if(_passwordHasher.VerifyHashedPassword(user, oldHash, newPassword)
   != PasswordVerificationResult.Failed)
{
    return "Password already used.";
}

Enable Email Confirmation
Enable email confirmation so only users with a valid email address can activate their account. This also prevents attackers from registering fake accounts.

Use HTTPS Everywhere
Always force to use HTTPS so that passwords and login data stay encrypted and safe while being sent between the user and the server.
app.UseHttpsRedirection();

Conclusion
Storing passwords securely requires:

  • Strong hashing (PBKDF2)
  • Salt (built-in)
  • Optional pepper
  • Strong password policy
  • HTTPS
  • Avoiding reuse
  • Periodic changes

ASP.NET Core Identity already does most of the heavy lifting use it!