11

In my ASP.NET applications I have following settings in DefaultMembershipProvider and SqlMembershipProvider in web.config:

enablePasswordRetrieval="true"
passwordFormat="Clear" 
requiresQuestionAndAnswer="false"

They are required for Digest authentication. I would like to move to ASP.NET Identity. I am using automated tool to update all web.config files that I manage.

How do I set these settings for ASP.NET Identity in the project generated by Visual Studio 2013?

IT Hit WebDAV
  • 5,652
  • 12
  • 61
  • 98
  • 1
    Password retrieval greatly increases the weakness of an application by requiring two way encryption and then relaying credentials in plain text. Consider implementing password reset tokens via e-mail instead if possible. – pwdst Nov 13 '13 at 12:20
  • I am pretty sure this is not possible with Digest auth. – IT Hit WebDAV Nov 13 '13 at 15:23
  • I found a 2014 dated article about custom password policy https://blogs.msdn.microsoft.com/webdev/2014/01/06/implementing-custom-password-policy-using-asp-net-identity/ – oneNiceFriend Jun 01 '16 at 13:01

1 Answers1

21

You need to provide IPasswordHasher implementation that can provide clear password without hashing. You can set UserManager.PasswordHasher to your implementation.

As of now, there is no web.config configurable settings for Identity. You need to provide appropriate mix of configurable in code, mainly in Startup.cs

It is not recommended to store passwords in clear format.

public class ClearPassword : IPasswordHasher
{
    public string HashPassword(string password)
    {
        return password;
    }

    public PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        if(hashedPassword.Equals(providedPassword))
            return PasswordVerificationResult.Success;
        else return PasswordVerificationResult.Failed;
    }
}
jd4u
  • 5,789
  • 2
  • 28
  • 28
  • The provided password is clear text or hashed (in case we used hashed passwords)? – idipous Dec 23 '13 at 10:39
  • The example is of the clear text password. You can implement hashing algorithm in HashPassword(string password) function and same way verify it in VerifyHashedPassword function. – jd4u Dec 23 '13 at 15:18
  • 2
    Thanks jd4u, but I couldnt get , where to add this class and where to call it? – oneNiceFriend Jun 01 '16 at 13:02