.NETCore PasswordHasher.HashPassword doesn't use TUser user ,but why included in the method signature?

Question

PasswordHasher.HashPassword doesn't use TUser user, but why included in the method signature?

Thanks!

Answer 1

The PasswordHasher<TUser> class implements the interface IPasswordHasher<TUser> that defines the method string HashPassword(TUser user, string password). As you noticed, PasswordHasher<TUser>.HashPassword doesn't use the TUser, but another implementation could. The PasswordHasher<TUser>.HashPassword generates a random salt and uses it to hash the password directly, without any external data except the password. And by looking at it it seems to be a good implementation.

You could build a MyPasswordHasher<TUser> that has a different salt for each user AND saves the salt for the password separately from the password. In this case you would need a TUser object containing the salt. Some years ago on the Security SO it was asked if it was a good idea to calculate the hash as hash(username + password)... To calculate the hash like that, you would need a TUser object with the username (we will ignore the quality of that solution here compared to the Microsoft solution).

Another common implementation I've seen in some sites is to have a column in the User table containing the "version" of "protocol" used for hashing passwords... In this way, if the hashing is discovered to be weak, a new "protocol" can be devised, and this "version" says in which way the hash has been calculated.

So Microsoft programmers implemented the IPasswordHasher<TUser> interface to be compatible with this type of hashes. They didn't implement them, but they let open the possibility.

(as a sidenote the Microsoft version of PasswordHasher<TUser> generates a "packed" string containing the version, infos on the key derivation function, the salt and the hash all together)