Replacing password hashing algorithm


I'd like to do one of two things:

  • Replace the hashing algorithm with something better fit for purpose (which atm I think it is not) or
  • Disable the automatic hashing and do that myself.

Which is the easier route? I have seen a comment in the code that atm the default password hasher cannot be replaced but I haven't really looked closely yet but it's made this question worth asking.


I gave that piece of code a better look and I think that static override is actually an option here and one that should be fairly easy to do. Can you please confirm that static overriding will work?

Thank you!

Have you checked this:

Hi, no, I didn't notice that at all.
This is a greenfield and I really only want better hashing because that's the more likely thing to get me in trouble if bad actors find a way in that they're not authorised to.

I may want at some point to plug my own stuff in other areas as well but I don't see that happening any time soon.
The other thing I have a slight problem with is the minimum password requirements but, again, this is not something that I am going to look at immediately, as it were.


What is the problem with current hashing?

That is configurable in PasswordOptions property.

The hashing, coupled with the restrictions, makes the use of rainbow tables way too easy and fast. I have thus developed mangling algorithms that I use to pre-process the paswords to make them slightly more impervious, combined with a clever use of HMACs and hashing. This is why I need to replace the one present which is too simple to precalculate.


It's already very decoupled, using IPasswordHasher. We just didn't provide an easy way for users to set such interface.

Do you mind filing a feature request for this, then we can provide a simpler way for users to replace the interface and implement their own logic.