1

I built an ASP.NET 4.5 website using Web Forms. The site has the Login/Registration mechanism provided by Microsoft; therefore, there's a DB holding the user registration info. One of the tables is 'AspNetUsers'; it contains reg info, including two fields I need help with: 'PasswordHash' and 'SecurityStamp'.

I need to support users logging in from mobile devices, using the credentials established when they registered. When users, trying to log in, provide their username and p/w, I'd like to hash the provided p/w and compare it with the hashed p/w stored in the 'PasswordHash' field of 'AspNetUsers'.

Two problems: I can't confirm what hashing algorithm is used and I don't know where to get the salt in order to compute a hash value for comparison with the DB. Does 'SecurityStamp' have anything to do with salt?

I've been looking both here and the rest of the Web for four days, can't seem to duplicate my situation. A tutorial or example would be awesome, or a pointer to another SO entry that answers my question. Many thanks, and happy holidays to all all who celebrate the season.

user2192275
  • 82
  • 4
  • @walther: Thank you for the pointer, I checked it out and some information was useful. I'm still not getting it: when validating a password, I think I need to retrieve the salt value so I can compute a hash. I don't see where the salt is stored, but I'm so far off base I'm wondering if my approach is incorrect? Where do I get the salt value? Is it embedded in the PasswordHash field, i.e. a substring of that field? Thanks for the help. – user2192275 Dec 22 '14 at 13:18
  • @user2192275 Many password hashing schemes combine password and salt into a single string. Then to verify it they split the string, extracting hash and salt. – CodesInChaos Dec 22 '14 at 13:36

0 Answers0