The current implementation of Crypto.HashPassword() uses a hard-coded iteration count for the PBKDF2 algorithm of 1,000 ([Crypto.cs](https://aspnetwebstack.codeplex.com/SourceControl/latest#src/System.Web.Helpers/Crypto.cs)). This is the minimum recommended iteration count as specified in RFC2898, published in September 2000.
Given the hardware advancements in recent years, this number seems to be very low (e.g. LastPass now uses 100,000 PBKDF2 iterations for the master password, Django defaults to 10,000).
The whole point of using PBKDF2 is that the number of iterations can be increased when hardware gets faster, so I think it would make sense to provide an overload for HashPassword() that takes the iteration count as a parameter.
Sources:
[1] http://stackoverflow.com/questions/6054082/recommended-of-iterations-when-using-pkbdf2-sha256
[2] http://www.levigross.com/post/18880148948/a-review-of-djangos-new-password-authentication
Given the hardware advancements in recent years, this number seems to be very low (e.g. LastPass now uses 100,000 PBKDF2 iterations for the master password, Django defaults to 10,000).
The whole point of using PBKDF2 is that the number of iterations can be increased when hardware gets faster, so I think it would make sense to provide an overload for HashPassword() that takes the iteration count as a parameter.
Sources:
[1] http://stackoverflow.com/questions/6054082/recommended-of-iterations-when-using-pkbdf2-sha256
[2] http://www.levigross.com/post/18880148948/a-review-of-djangos-new-password-authentication