Password hash Identity framework and salt

6
votes

I have been tasked with making sure that users cannot use previous passwords when changing their password. To that end I store the Hash of their password when the Identity framework hashes the password.

My question is how to compare the hash of the users newly selected password and the hash of their previously used password that I have saved? I need to take into account the salt that the Identity framework is using.

UPDATE: I am using appUserManager.PasswordHasher.HashPassword(passwordToHash) to hash the password but it creates a new hash each time (I assume it is because Identity framework is using a salt internally).

1
asp.net-identitypassword-hash
This aspnetcore identity or earlier version? - Brad Christie
ASP.NET Identity v2.2 - webworm
I would say override UserManager<TUser, TKey>.UpdateAsync(TUser user) and use a back-end history table. If a user is changing their password and it's one of the N passwords in the history, reject them with IdentityResult.Failed("Cannot reuse password."). - Brad Christie
I see what your saying Brad, but I wanted to create a separate class that would perform check that previous passwords were not used as well as other validations. My problem is that when I use appUserManager.PasswordHasher.HashPassword(passwordToHash). I get a different hash result every time. - webworm

1 Answers

4
votes

Current password hash for user is stored in table/column AspNetUsers.PasswordHash. This is also available through EF: ApplicationDbContext.Users.PasswordHash.

So you will need to create your own table that references user table and on every password change copy previous hash into your table.

Next step would be to verify that the new password does not match any of the old hashes. For that you need to use Microsoft.AspNet.Identity.PasswordHasher.VerifyHashedPassword(string hashedPassword, string providedPassword)

Where hashedPassword would be a value from your table of historic hashes and providedPassword would be a new proposed password.