Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.Net Identity Manual Password Hashing

I'm developing an MVC 5 web application using Entity Framework Database First approach with an existing database.

I'm also using ASP.Net Identity for my Authorisation and Authentication, however, I'm not using the built in Entity Framework code, i.e., UserManager, ApplicationUser etc instead I'm using an approach similar to this by Brock Allen.

http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

I'm now working on Account Login and Registration and I want to hash the User password before I store it in my custom User table.

I realise I can create my own custom class which implements IPasswordHasher, however, that's where I become stuck. Below shows a mock up of how I think it should work, however, I'm not entirely sure this is even correct.

public class CustomPassword : IPasswordHasher
{
    public string HashPassword(string password)
    {
        return password;
    }

    public PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        if (hashedPassword.Equals(providedPassword))
            return PasswordVerificationResult.Success;
        else return PasswordVerificationResult.Failed;
    }
}

These are my questions:

Q1:When registering a new user account and I pass the user password into the HashPassword method from my Account Controller, like this, I would like the User password hashed and returned as a string, however, I don't know what code to put into the HashPassword function to do this.

CustomPassword pwd = new CustomPassword();
String UserPassword = "test@123";
String HashedNewPassword = pwd.HashPassword(UserPassword);

Q2:When a User then logs into the website, I would like to take their supplied password, retrieve the hashed password from the database user table, and then compare them inside the VerifyHashedPassword method, but again, I don't know what the code is to compare a hashed string against a non-hashed string.

I would greatly appreciate any advice on how to do this.

Thanks.

like image 667
tcode Avatar asked Feb 03 '14 14:02

tcode


People also ask

How does ASP NET identity hash passwords?

ASP.NET Core Identity and password hashingThe app will create a hash of the password, and store it in the database along with the user's details. A hash is a one way function, so given the password you can work out the hash, but given the hash you can't get the original password back.

How does a hasher work?

It uses a Key Derivation Function with random salt to produce the hash. The salt is included as part of the output of the KDF. Thus, each time you "hash" the same password you will get different hashes.

What's the difference between Bcrypt and PBKDF2?

While PBKDF2 is a hard job on a CPU, it's a quite easy job for a GPU system. BCrypt is from 1999 and is GPU-ASIC resilient by design as it's also a memory hardening function: it's not just CPU intensive, but also RAM-intensive to execute a bcrypt hash.

What is password salt in asp net?

In cryptography, salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.


1 Answers

After creating UserManager instance, assign the passwordhasher property to your CustomPasswordHasher

UserManager<ApplicationUser> UserManager = new UserManager<ApplicationUser>(store);
UserManager.PasswordHasher = new CustomPasswordHasher(); // IPasswordHasher

Use the UserManager to find user with username and password.

like image 77
jd4u Avatar answered Sep 23 '22 19:09

jd4u