storing passwords in sql server database using ef core code first

Question

I have this class to represent my users:

public class User
{
    public int ID {get; set;}
    public string UserName {get; set;}
    [DataType(DataType.Password         


        

Answer 1

You should never store a password in the database if you can avoid it. Best practice is to store a salted, irreversible hash of the password.

Typically this would be a SHA2 or PBKDF2, or whatever of the password salted with something that cannot change about the user-- e.g. the ID of the record.

You would store the has typically as a varbinary(32) or whatever length your hash algorithm uses.

This approach means that you cannot determine a user's password, since it is irreversible. To test a password of someone attempting to login, perform the same hash with the same salt, and test if the result is the same as what you have in your database. This way, a hacker who gets your database cannot figure out what each user's password is, but you can still test if a user knows their own password.