Hash with salt and Pepper in asp net core ?

Question

After only using Usermanager for creating Account
I would like to know if the function bellow

" usermanager.CreateAsync(Admin, "Pass");"

is really the best option or should i create my own hash system just using the Database and add an account manually
for maximum security.

After doing some research I learned that (And please correct me if im wrong)

• hash is not ecrypte and can not return to the orginal string, and 2 of the same hashed password are the same (without salt)
• HMACSHA256 is slow but most secure
• HMACSHA512 is fast but less secure,
• that for the best security we should a librabry like "BCrypt" and not the default "KeyDerivation.Pbkdf2" in asp net core
• For maximum security a hash should always be combined with a Salt to prevent "Rainbow table" attacks and make it more difficult for brute force attacks
• And that Using Pepper makes it even more secure since its being stored in the App Code and not in the Database

By searching around I could not really find good examples that explain every step in detaill wich makes it harder to understand
And i would really like to know more about security since its probably te most important part in a service;

And a simple example using Salt and pepper combined with some explanation above the code would be great

Answer 1

Passwords should be one way, so a one way hash is used. Because duplicate passwords hash to the same value, a salt is added. A salt is a random string added to the password (appended, or preappended) and should be unique for each password. This means for each password you need to save the salt, so your password file needs the user name, hash and salt value.

When you validate a password for a user, you lookup the hash and salt. You append the salt value to the sent password, and perform the hash. if the new hash matches the old hash, the user sent the correct password.