== How to fix it in ASP.NET

=== Code examples

==== Noncompliant code example

[source,csharp,diff-id=201,diff-type=noncompliant]
----
using System.Security.Cryptography;

RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
byte[] salt = new byte[32];
rngCsp.GetBytes(salt);
Rfc2898DeriveBytes kdf = new Rfc2898DeriveBytes(password, salt, 100, HashAlgorithmName.SHA256); // Noncompliant
string hashed = Convert.ToBase64String(kdf.GetBytes(256 / 8));
----

Using `using Microsoft.AspNet.Identity`:
[source,csharp]
----
using Microsoft.AspNet.Identity;

string password = "NotSoSecure";
PasswordHasher hasher = new PasswordHasher();
string hash = hasher.HashPassword(password); // Noncompliant
----

==== Compliant solution

[source,csharp,diff-id=201,diff-type=compliant]
----
using System.Security.Cryptography;

RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
byte[] salt = new byte[32];
rngCsp.GetBytes(salt);
Rfc2898DeriveBytes kdf = new Rfc2898DeriveBytes(password, salt, 100_000, HashAlgorithmName.SHA256); // Compliant
string hashed = Convert.ToBase64String(kdf.GetBytes(256 / 8));
----

=== How does this work?

include::../../common/fix/pbkdf2-parameters.adoc[]

=== Going the extra mile

include::../../common/extra-mile/peppering.adoc[]