I have been tasked with making sure that users cannot use previous passwords when changing their password. To that end I store the Hash of their password when the Identity framework hashes the password.
My question is how to compare the hash of the users newly selected password and the hash of their previously used password that I have saved? I need to take into account the salt that the Identity framework is using.
UPDATE: I am using appUserManager.PasswordHasher.HashPassword(passwordToHash)
to hash the password but it creates a new hash each time (I assume it is because Identity framework is using a salt internally).
Current password hash for user is stored in table/column AspNetUsers.PasswordHash
. This is also available through EF: ApplicationDbContext.Users.PasswordHash
.
So you will need to create your own table that references user table and on every password change copy previous hash into your table.
Next step would be to verify that the new password does not match any of the old hashes. For that you need to use Microsoft.AspNet.Identity.PasswordHasher.VerifyHashedPassword(string hashedPassword, string providedPassword)
Where hashedPassword
would be a value from your table of historic hashes and providedPassword
would be a new proposed password.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With