0

I have code here

var result = await _userManager.CreateAsync(user, model.Password);

When I register the account, the password is hashed. Is there anyway I can hash the incoming password to compare with the stored and hashed password without using CheckPasswordAsync? The incoming converted password will be used for further purposes.

Dale K
  • 25,246
  • 15
  • 42
  • 71
Lee Wyncent
  • 29
  • 6
  • Does this answer your question? [ASP.NET Identity's default Password Hasher - How does it work and is it secure?](https://stackoverflow.com/questions/20621950/asp-net-identitys-default-password-hasher-how-does-it-work-and-is-it-secure) – Panagiotis Kanavos Aug 28 '20 at 09:52
  • As the duplicate question shows, the PasswordHasher is open-source so you can check it. It's [a public class](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.passwordhasher-1?view=aspnetcore-3.1) which means you don't have to reimplement the hashing algorithm, just use it directly – Panagiotis Kanavos Aug 28 '20 at 09:55
  • BTW what does `used for further purposes.` mean? Spreading hashes around increases the chance of a leak. Do you want other applications to use the same accounts? Then either create an authentication service or use [Identity Server](https://github.com/IdentityServer) as the common auth service for all applications. – Panagiotis Kanavos Aug 28 '20 at 09:59

1 Answers1

1

Is there anyway i can hash the incoming password to compare with the stored and hashed password without using CheckPasswordAsync?

Not really. There is a trick in this - the password is also randomly salted and the salt is part of the hash, so you need to get that part out first to do the hashing. The hash also contains a code saying HOW it was hashed, IIRC. It is all in the code (it is not like these libraries are not open source), but it is a little more complex than running a hash method.

I generally find no need to do anything else then CheckpasswordAsync - it does what should be done and more is not needed.

If you really want to implement that yourself, start by RTFS (s = source), i.e. at https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Extensions.Core/src/PasswordHasher.cs - this is how the password is hashed, so this does answer the question in detail.

Dale K
  • 25,246
  • 15
  • 42
  • 71
TomTom
  • 61,059
  • 10
  • 88
  • 148
  • `PasswordHasher` is a public class so it can be used directly - assuming the OP is using .NET Core for `other purposes`. I suspect this is another XY Problem and the real X is common authentication for multiple applications – Panagiotis Kanavos Aug 28 '20 at 10:00
  • In which case the real problem is lack of knowledge - a common central OAuth server would server the same (and more in terms of security) and bypass the whole problem. – TomTom Aug 28 '20 at 10:02