How to check password manually in Asp.Net identity 2?

asp.net hash asp.net-identity asp.net-identity-2 password-encryption
Behrooz picture Behrooz · Dec 23, 2015 · Viewed 11.8k times · Source

This might actually be more of a conceptual question. In Asp.Net Identity the PasswordHasher generates a different hash for the same string every time you do:

new PasswordHasher.HashPassword("myString");

Now if for some reason I need to manually compare a user's input to the password saved in the database, I will most probably get a different string when I hash the user's entered password, than the one that is stored in the database.

Can someone please explain this to me? Shouldn't hashing the same string result in the same hash and if not, how does Identity itself realize that two different hashes are in fact the same?

Answer

Sam FarajpourGhamari picture Sam FarajpourGhamari · Dec 24, 2015

PasswordHasher generates different hashes each time because it uses salting technique. This technique secure the hashed password against dictionary attacks. By the way you could use following code to manually verify the password:

if(PasswordHasher.VerifyHashedPassword("hashedPassword", "password") 
    != PasswordVerificationResult.Failed)
{
    // password is correct 
}

Related questions

What is default hash algorithm that ASP.NET membership uses?

What is default hash algorithm that ASP.NET membership uses? And how can I change it?

Read More
ASP.NET membership salt?

How does ASP.NET membership generate their salt key and then how do they encode it (that is, is it salt + password or password + salt)? I am using SHA-1 with my membership, but I would like to recreate the same …

Read More
Retrieving password when the password stored as a hash value

Can users request that their password be emailed to themselves if the password is stored as a hash value? Is there any way to convert a hash value to the clear text value with the proper information (& what information …

Read More