I'm developing an MVC 5 web application using Entity Framework Database First approach with an existing database.
I'm also using ASP.Net Identity for my Authorisation and Authentication, however, I'm not using the built in Entity Framework code, i.e., UserManager, ApplicationUser etc instead I'm using an approach similar to this by Brock Allen.
http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
I'm now working on Account Login and Registration and I want to hash the User password before I store it in my custom User table.
I realise I can create my own custom class which implements IPasswordHasher, however, that's where I become stuck. Below shows a mock up of how I think it should work, however, I'm not entirely sure this is even correct.
public class CustomPassword : IPasswordHasher
{
public string HashPassword(string password)
{
return password;
}
public PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
{
if (hashedPassword.Equals(providedPassword))
return PasswordVerificationResult.Success;
else return PasswordVerificationResult.Failed;
}
}
These are my questions:
Q1:When registering a new user account and I pass the user password into the HashPassword method from my Account Controller, like this, I would like the User password hashed and returned as a string, however, I don't know what code to put into the HashPassword function to do this.
CustomPassword pwd = new CustomPassword();
String UserPassword = "test@123";
String HashedNewPassword = pwd.HashPassword(UserPassword);
Q2:When a User then logs into the website, I would like to take their supplied password, retrieve the hashed password from the database user table, and then compare them inside the VerifyHashedPassword method, but again, I don't know what the code is to compare a hashed string against a non-hashed string.
I would greatly appreciate any advice on how to do this.
Thanks.
ASP.NET Core Identity and password hashingThe app will create a hash of the password, and store it in the database along with the user's details. A hash is a one way function, so given the password you can work out the hash, but given the hash you can't get the original password back.
It uses a Key Derivation Function with random salt to produce the hash. The salt is included as part of the output of the KDF. Thus, each time you "hash" the same password you will get different hashes.
While PBKDF2 is a hard job on a CPU, it's a quite easy job for a GPU system. BCrypt is from 1999 and is GPU-ASIC resilient by design as it's also a memory hardening function: it's not just CPU intensive, but also RAM-intensive to execute a bcrypt hash.
In cryptography, salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.
After creating UserManager instance, assign the passwordhasher property to your CustomPasswordHasher
UserManager<ApplicationUser> UserManager = new UserManager<ApplicationUser>(store);
UserManager.PasswordHasher = new CustomPasswordHasher(); // IPasswordHasher
Use the UserManager to find user with username and password.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With