How to set password rules for ASP.NET identity?

IT Hit WebDAV picture IT Hit WebDAV · Oct 23, 2013 · Viewed 14.7k times · Source

In my ASP.NET applications I have following settings in DefaultMembershipProvider and SqlMembershipProvider in web.config:

enablePasswordRetrieval="true"
passwordFormat="Clear" 
requiresQuestionAndAnswer="false" 

They are required for Digest authentication. I would like to move to ASP.NET Identity. I am using automated tool to update all web.config files that I manage.

How do I set these settings for ASP.NET Identity in the project generated by Visual Studio 2013?

Answer

jd4u picture jd4u · Oct 23, 2013

You need to provide IPasswordHasher implementation that can provide clear password without hashing. You can set UserManager.PasswordHasher to your implementation.

As of now, there is no web.config configurable settings for Identity. You need to provide appropriate mix of configurable in code, mainly in Startup.cs

It is not recommended to store passwords in clear format.

public class ClearPassword : IPasswordHasher
{
    public string HashPassword(string password)
    {
        return password;
    }

    public PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        if(hashedPassword.Equals(providedPassword))
            return PasswordVerificationResult.Success;
        else return PasswordVerificationResult.Failed;
    }
}