5

I used SHA1 for hashing passwords on my site. I'm trying to move to ASP.NET Identity. I found how I can verify the old passwords (ASP.NET Identity default Password Hasher, how does it work and is it secure?):

public class CustomPasswordHasher : IPasswordHasher
{
 //....
  public static bool VerifyHashedPassword(string hashedPassword, string password)
  {
    byte[] buffer4;
    if (hashedPassword == null)
    {
        return false;
    }
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }
// Old hash verification
    using (SHA1Managed sha1 = new SHA1Managed())
    {
      var hash = sha1.ComputeHash(Encoding.UTF8.GetBytes(password));
      var sb = new StringBuilder(hash.Length * 2);

      foreach (byte b in hash)
      {
          sb.Append(b.ToString("x2"));
      }

      if(hashedPassword == sb.ToString()) return true;
      else return false;
    }

// Identity hash verification
    byte[] src = Convert.FromBase64String(hashedPassword);
    if ((src.Length != 0x31) || (src[0] != 0))
    {
        return false;
    }
    byte[] dst = new byte[0x10];
    Buffer.BlockCopy(src, 1, dst, 0, 0x10);
    byte[] buffer3 = new byte[0x20];
    Buffer.BlockCopy(src, 0x11, buffer3, 0, 0x20);
    using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, dst, 0x3e8))
    {
        buffer4 = bytes.GetBytes(0x20);
    }
        return ByteArraysEqual(buffer3, buffer4);
  }
//....
}

In my custom ApplicationUserManager, I set the PasswordHasher property:

//....
manager.PasswordHasher = new CustomPasswordHasher();
//....

Now, I would like delete the old hash(sha1) and save the new hash.How I can do it?

Thanks in advance!

Community
  • 1
  • 1
Mikhalkin S
  • 53
  • 1
  • 2
  • 6

1 Answers1

4

You can't do that until user tries to login - you only have SHA1 hash. And from SHA1 you can't convert to other hashing algorithm.

But when user logs in you have their password in memory and can work with it to generate a new hash. Here some pseudo-code:

public void Login(String username, String password)
{
    if(DoesOldHashMatch(username, password)){
        var newHash = NewHasher.GetPasswordHash(password);
        UpdateUserPasswordHash(username, newHash);
        SetLoginCookie(username);
        return;
    }
    if(NewHashMatch(username, password))
    {
        SetLoginCookie(username);
    }
}
trailmax
  • 34,305
  • 22
  • 140
  • 234