Vote count:
0
I have an existing membership database where passwords are a hash of both username and a unique id. As I understand, ASP.NET Identity will take care of salting passwords for you.
However, I need my old hashed passwords to work until they are updated (i.e. they need to work on the first login at which point I'll update it).
The IPasswordHasher has method: VerifyHashedPassword(string hashedPassword, string providedPassword). This method doesn't allow me to pass in any sort of salt. I realize I don't need to provide a value for any new hashed passwords, but for my existing ones I need to do a legacy check.
public class CoolGuyPasswordHasher : PasswordHasher {
public IdentityContext DbContext { get; set; }
// Custom hashing used before migrating to Identity
public static string GetSHA1Hash(string password, string guid) {
string passWithSalt = String.Concat(password, guid);
return FormsAuthentication.HashPasswordForStoringInConfigFile(passWithSalt, "SHA1");
}
// Verify if the password is hashed using SHA1. If yes, rehash using ASP.NET Identity Crypto which is more secure
public override PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword) {
//I can't pass in my salt!
if (String.Equals(hashedPassword, GetSHA1Hash(providedPassword, sadFace), StringComparison.InvariantCultureIgnoreCase)) {
ReHashPassword(hashedPassword, providedPassword);
return PasswordVerificationResult.Success;
}
return base.VerifyHashedPassword(hashedPassword, providedPassword);
}
}
How could I go about doing my legacy salted password check? In the new system I suppose I could make the hashed password stay as the result of the username + id. However, since the implementation of ASP.NET Identity doesn't seem to cater towards that, what would be my best option?
Aucun commentaire:
Enregistrer un commentaire