Hash password using hasher.HashPassword not return same hash password for user identity ?

Question

Hash password using hasher.HashPassword not return same hash password for user identity ?

Ahmed Salah Abed Elaziz 390

I work in Blazor Server web App with User Identity on .NET core 7 vs2022 . I face issue on validating password for user identity

it not give me same password Hash exactly as in database although Password Hash for identity and Hash password from csharp for same password : Coding@1234?

.

meaning Hashing password not get same hash password on table [dbo].[AspNetUsers] column Password Hash

 var hasher = new Microsoft.AspNetCore.Identity.PasswordHasher<IdentityUser>();
   IdentityUser identityUser = new IdentityUser(userDto.UserName);

   var passwordhash = hasher.HashPassword(identityUser,"Coding@1234?"); 
RETURN   AQAAAAIAAYagAAAAEEAB/n7ETqnh3v5tHIT+VMG6FeIjTgKG5WUyLbeoI+aR3dpaj5SvQYKyYgvoIgWuaw==

I create new user for identity

var newUserResponse =  userManager.CreateAsync(newUserIdentity, "Coding@1234?").Result;

from SQL profiler

exec sp_executesql N'SET IMPLICIT_TRANSACTIONS OFF;
SET NOCOUNT ON;
INSERT INTO [AspNetUsers] ([Id], [AccessFailedCount], [ConcurrencyStamp], [Email], [EmailConfirmed], [LockoutEnabled], [LockoutEnd], [NormalizedEmail], [NormalizedUserName], [PasswordHash], [PhoneNumber], [PhoneNumberConfirmed], [SecurityStamp], [TwoFactorEnabled], [UserName])
VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13, @p14);
',N'@p0 nvarchar(450),@p1 int,@p2 nvarchar(4000),@p3 nvarchar(256),@p4 bit,@p5 bit,@p6 datetimeoffset(7),@p7 nvarchar(256),@p8 nvarchar(256),@p9 nvarchar(4000),@p10 nvarchar(4000),@p11 bit,@p12 nvarchar(4000),@p13 bit,@p14 nvarchar(256)',@p0=N'1a6d8e1d-05d1-4c68-985a-8b83fd472f3b',@p1=0,@p2=N'3b8af492-3dee-4c18-966e-ac934915ab35',@p3=NULL,@p4=0,@p5=1,@p6=NULL,@p7=NULL,@p8=N'AELAZIZ',@p9=N'AQAAAAIAAYagAAAAEDKDbDHoCo6hfP+umfKko/M8mcPnfx28LY3DAcf/Ufo0NhdDoq+CYuS/F5ChuFxcOA==',@p10=NULL,@p11=0,@p12=N'5TGBDLYFF3IXFGI4UDOMYG4OC63P7QC4',@p13=0,@p14=N'AElaziz'

Why passwordhash not same PasswordHash on table identity [dbo].[AspNetUsers] and How to solve this issue ?

Viorel 122.6K Reputation points

2023-03-11T09:09:33.83+00:00

Which username did you use in the first code?
Ahmed Salah Abed Elaziz 390 Reputation points

2023-03-11T09:11:09.39+00:00

AElaziz
Viorel 122.6K Reputation points

2023-03-11T09:24:32.0666667+00:00

How did you get or create the userManager variable?

Probably you can investigate the userManager.PasswordHasher property to find the differences with your own hasher.

Ahmed Salah Abed Elaziz 390

i create user manager variable by below

    private readonly UserManager<IdentityUser> userManager;
    private readonly RoleManager<IdentityRole> roleManager;
      
       
     
        public RegisterService(UserManager<IdentityUser> userManager, RoleManager<IdentityRole> roleManager)
        {
           
          
            this.userManager = userManager;
            this.roleManager = roleManager;
            
         
        }

   var newUserIdentity = new IdentityUser()
            {
                UserName = request.UserName
            };

            var newUserResponse =  userManager.CreateAsync(newUserIdentity, "Coding@1234?").Result;

1 answer

Your answer

Viorel 122.6K Reputation points

2023-03-11T09:09:33.83+00:00

Which username did you use in the first code?
Ahmed Salah Abed Elaziz 390 Reputation points

2023-03-11T09:11:09.39+00:00

AElaziz
Viorel 122.6K Reputation points

2023-03-11T09:24:32.0666667+00:00

How did you get or create the userManager variable?

Probably you can investigate the userManager.PasswordHasher property to find the differences with your own hasher.
Ahmed Salah Abed Elaziz 390 Reputation points

2023-03-11T09:32:23.4066667+00:00

i create user manager variable by below

private readonly UserManager<IdentityUser> userManager; private readonly RoleManager<IdentityRole> roleManager; public RegisterService(UserManager<IdentityUser> userManager, RoleManager<IdentityRole> roleManager) { this.userManager = userManager; this.roleManager = roleManager; } var newUserIdentity = new IdentityUser() { UserName = request.UserName }; var newUserResponse = userManager.CreateAsync(newUserIdentity, "Coding@1234?").Result;

Answer 1

Viorel 122.6K

If you call the function twice:

string passwordhash1 = hasher.HashPassword( identityUser, "Coding@1234?" );
string passwordhash2 = hasher.HashPassword( identityUser, "Coding@1234?" );

bool are_equal = passwordhash1 == passwordhash2;

PasswordVerificationResult password_is_correct_1 = hasher.VerifyHashedPassword( identityUser, passwordhash1, "Coding@1234?" );
PasswordVerificationResult password_is_correct_2 = hasher.VerifyHashedPassword( identityUser, passwordhash2, "Coding@1234?" );

you will get different hashes, but the hash verification succeeds for both of values.

Therefore a difference between hashes is not unexpected.

According to public sources, the classes uses random number generators.

To validate the hashed passwords, I think that you should use VerifyHashedPassword and the appropriate objects instead of string comparison.

Why do you need equal hashes?

Ahmed Salah Abed Elaziz 390 Reputation points

2023-03-11T09:59:41.3933333+00:00

so if i need to use then use hasher.VerifyHashedPassword

are this correct
Viorel 122.6K Reputation points

2023-03-11T10:12:35.81+00:00

I think so.
Anonymous

2023-03-24T03:06:13.0333333+00:00

Hi @Ahmed Salah Abed Elaziz

Agree with Viorel, if you check the PasswordHasher<TUser>source code, you can find that it uses a Key Derivation Function with random salt to generate the hashed password. Thus, each time you "hash" the same password you will get different hashes.

So, to validate the hashed passwords, we need to use the VerifyHashedPassword method.

Best regards,
Dillion

Share via

Hash password using hasher.HashPassword not return same hash password for user identity ?

1 answer

Your answer