ASP.NET Identity’s default Password Hasher – How does it work and is it secure?

by

Here is how the default implementation (ASP.NET Framework or ASP.NET Core) works. It uses a Key Derivation Function with random salt to produce the hash. The salt is included as part of the output of the KDF. Thus, each time you “hash” the same password you will get different hashes. To verify the hash the output is split back to the salt and the rest, and the KDF is run again on the password with the specified salt. If the result matches to the rest of the initial output the hash is verified.

Hashing:

public static string HashPassword(string password)
{
    byte[] salt;
    byte[] buffer2;
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }
    using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, 0x10, 0x3e8))
    {
        salt = bytes.Salt;
        buffer2 = bytes.GetBytes(0x20);
    }
    byte[] dst = new byte[0x31];
    Buffer.BlockCopy(salt, 0, dst, 1, 0x10);
    Buffer.BlockCopy(buffer2, 0, dst, 0x11, 0x20);
    return Convert.ToBase64String(dst);
}

Verifying:

public static bool VerifyHashedPassword(string hashedPassword, string password)
{
    byte[] buffer4;
    if (hashedPassword == null)
    {
        return false;
    }
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }
    byte[] src = Convert.FromBase64String(hashedPassword);
    if ((src.Length != 0x31) || (src[0] != 0))
    {
        return false;
    }
    byte[] dst = new byte[0x10];
    Buffer.BlockCopy(src, 1, dst, 0, 0x10);
    byte[] buffer3 = new byte[0x20];
    Buffer.BlockCopy(src, 0x11, buffer3, 0, 0x20);
    using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, dst, 0x3e8))
    {
        buffer4 = bytes.GetBytes(0x20);
    }
    return ByteArraysEqual(buffer3, buffer4);
}

More Related Contents:

  1. How to hash a password
  2. Configure the authorization server endpoint
  3. How to get current user, and how to use User class in MVC5?
  4. IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity
  5. Is it secure to store passwords in cookies?
  6. How do I get the currently loggedin Windows account from an ASP.NET page?
  7. Child actions are not allowed to perform redirect actions, after setting the site on HTTPS [duplicate]
  8. Why is Asp.Net Identity IdentityDbContext a Black-Box?
  9. ASP.NET Identity – Multiple object sets per type are not supported
  10. The entity type ApplicationUser is not part of the model for the current context
  11. User in Entity type MVC5 EF6
  12. Get UserID of logged-in user in Asp.Net MVC 5
  13. “Context cannot be used while the model is being created” exception with ASP.NET Identity
  14. Configure Unity DI for ASP.NET Identity
  15. Opening password-protected pdf file with iTextSharp
  16. Access files from network share in c# web app
  17. Get the current user, within an ApiController action, without passing the userID as a parameter
  18. Block requests after multiple unsuccessful logins
  19. difference between http.context.user and thread.currentprincipal and when to use them?
  20. Best way to restrict access by IP address?
  21. Why is JsonRequestBehavior needed?
  22. ASP.NET Calling WebMethod with jQuery AJAX “401 (Unauthorized)”
  23. Forms Authentication across Sub-Domains
  24. How to use Json.NET for JSON modelbinding in an MVC5 project?
  25. .NET Configuration (app.config/web.config/settings.settings)
  26. Retrieve image from database in asp.net
  27. Repository Pattern Step by Step Explanation [closed]
  28. Memory Mapped Files .NET
  29. When Should I Use Response.Redirect(url, true)?
  30. Conditional Logic in ASP.net page

Leave a Comment