0

Is there a way to set Identity-core that do not allow same password when a user is changing the password at the project startup ? i do not want to check it with IF clause , i wanna set in Identity-core options or some where like this to manage it globally at my project( ASP.net core with C#)

David Liang
  • 20,385
  • 6
  • 44
  • 70
S BZG
  • 31
  • 4

2 Answers2

0

First, you will have to store the previous password hashes separately in a table. Then you will need to implement your own password validator and register it which should overwrite the default password validator for asp.net core identity.

  1. Implement Microsoft.AspNetCore.Identity.IPasswordValidator as

    public class MyPasswordValidator: IPasswordValidator
{
    public Task<IdentityResult> ValidateAsync(UserManager<TUser> manager, TUser user, string password)
    {
        // custom validation logic
        // search for previous passwords based on user's id and see if they match
    }
}

  2. Register it in the services. Make sure you place it at after registering all the default asp.net identity identity services.

    services.AddScoped<IPasswordValidator<ApplicationUser>, MyPasswordValidator>();

You can also implement an additional property for previous passwords in your ApplicationUser class so that all the previous passwords are already present in your user variable

Kirk Larkin
  • 84,915
  • 16
  • 214
  • 203
rabink
  • 679
  • 8
  • 13
  • thank you @rabinak. its so helpful. im looking for something like this : services.IdentityCore(options => option.password.length = 8;) in Configuration method at startup file , to force user to have different password at changing password time – S BZG Jun 08 '20 at 17:55
  • Hash is DIFFERENT even if pass is the same.. so this is not the answer to compare hashes. I guess best is to try use signInManager.CheckPasswordSignInAsync method with new password [in password change] if success, then forbid that new password. – Tommix Jan 18 '21 at 12:17
0

You don't need to have as a function in User class to be access it easy, because password change should be allowed in 1 page only, so the code that checks also can live on that page (model/controller).

THE EASIEST WAY is the obvious one - in password change controller you MUST collect OLD password and NEW one as a plain text - so why not just compare them? :D

Less easy way: Just use signInManager.CheckPasswordSignInAsync in password change controller (if for some reason you dont have old password as a plain text), BEFORE changing pass. If success you would know that new pass is the same.

The best way: [checking old passwords to protect from setting the same after first setting new, then resetting to old (the same)] password History for Identity Core

Tommix
  • 443
  • 4
  • 15