0

We are using Identity Server 4 for our user authentication.

I need to add a feature to restrict users from repeating one of their last 5 passwords.

To check the new password against their history, I think the best way is to (1 historic password at a time) use the historic salt to hash their new password, then compare the output.

I can get each historic salt from its hash, but I don't know how to

  1. use a specific salt for the hash
  2. generate the hash to compare against the historic one

I have checked the docs at http://docs.identityserver.io/en/release/ but I can't find anything relevent there.

Am I on the right track here? If so, how can I do the above? If not, how can I check that a new password hasn't been used before? (within the last 5 anyway)

CompanyDroneFromSector7G
  • 4,291
  • 13
  • 54
  • 97
  • will this help ? [How can I use salting+hashing on my ASP.Net application?](https://stackoverflow.com/questions/4404253/how-can-i-use-saltinghashing-on-my-asp-net-application) – Kaj Jun 21 '18 at 11:51
  • It's similar, but not about IdentityServer4. I really need to know how exactly IdentityServer4 generates the hash, e.g. how is the salt applied, what is the hash algorythm (I assume SHA256), etc. – CompanyDroneFromSector7G Jun 21 '18 at 11:56

1 Answers1

0

IdentityServer4 does not do anything with user passwords or authentication. Are you asking about ASP.Net Identity? If so I'd suggest delving into the code for that in Github and overriding what you need.

As for a general approach; I'd use a hash salted with a user-specific, immutable salt but ONLY do that for historical passwords stored separately in a different table. Their current password should use a random salt as normal.

mackie
  • 4,996
  • 1
  • 17
  • 17
  • Re: you first para, thanks for that, my assumption was wrong. I'll look up how to create a hash via ASP.Net Identity. Also, all the salts are the same value currently, so I assume this is due to some setting somewhere. – CompanyDroneFromSector7G Jun 21 '18 at 12:14
  • I just found the following which I can use for what I need: `Microsoft.AspNetCore.Identity.PasswordVerificationResult VerifyHashedPassword (TUser user, string hashedPassword, string providedPassword);` – CompanyDroneFromSector7G Jun 21 '18 at 12:27