Hash password using hasher.HashPassword not return same hash password for user identity ?

Ahmed Salah Abed Elaziz 390 Reputation points
2023-03-11T08:53:21.6233333+00:00

I work in Blazor Server web App with User Identity on .NET core 7 vs2022 . I face issue on validating password for user identity

it not give me same password Hash exactly as in database although Password Hash for identity and Hash password from csharp for same password : Coding@1234?

.

meaning Hashing password not get same hash password on table [dbo].[AspNetUsers] column Password Hash

 var hasher = new Microsoft.AspNetCore.Identity.PasswordHasher<IdentityUser>();
   IdentityUser identityUser = new IdentityUser(userDto.UserName);

   var passwordhash = hasher.HashPassword(identityUser,"Coding@1234?"); 
RETURN   AQAAAAIAAYagAAAAEEAB/n7ETqnh3v5tHIT+VMG6FeIjTgKG5WUyLbeoI+aR3dpaj5SvQYKyYgvoIgWuaw==

I create new user for identity

var newUserResponse =  userManager.CreateAsync(newUserIdentity, "Coding@1234?").Result;

from SQL profiler

exec sp_executesql N'SET IMPLICIT_TRANSACTIONS OFF;
SET NOCOUNT ON;
INSERT INTO [AspNetUsers] ([Id], [AccessFailedCount], [ConcurrencyStamp], [Email], [EmailConfirmed], [LockoutEnabled], [LockoutEnd], [NormalizedEmail], [NormalizedUserName], [PasswordHash], [PhoneNumber], [PhoneNumberConfirmed], [SecurityStamp], [TwoFactorEnabled], [UserName])
VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13, @p14);
',N'@p0 nvarchar(450),@p1 int,@p2 nvarchar(4000),@p3 nvarchar(256),@p4 bit,@p5 bit,@p6 datetimeoffset(7),@p7 nvarchar(256),@p8 nvarchar(256),@p9 nvarchar(4000),@p10 nvarchar(4000),@p11 bit,@p12 nvarchar(4000),@p13 bit,@p14 nvarchar(256)',@p0=N'1a6d8e1d-05d1-4c68-985a-8b83fd472f3b',@p1=0,@p2=N'3b8af492-3dee-4c18-966e-ac934915ab35',@p3=NULL,@p4=0,@p5=1,@p6=NULL,@p7=NULL,@p8=N'AELAZIZ',@p9=N'AQAAAAIAAYagAAAAEDKDbDHoCo6hfP+umfKko/M8mcPnfx28LY3DAcf/Ufo0NhdDoq+CYuS/F5ChuFxcOA==',@p10=NULL,@p11=0,@p12=N'5TGBDLYFF3IXFGI4UDOMYG4OC63P7QC4',@p13=0,@p14=N'AElaziz'

Why passwordhash not same PasswordHash on table identity [dbo].[AspNetUsers] and How to solve this issue ?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,156 questions
Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,385 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,231 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Viorel 112.1K Reputation points
    2023-03-11T09:39:08.61+00:00

    If you call the function twice:

    string passwordhash1 = hasher.HashPassword( identityUser, "Coding@1234?" );
string passwordhash2 = hasher.HashPassword( identityUser, "Coding@1234?" );

bool are_equal = passwordhash1 == passwordhash2;

PasswordVerificationResult password_is_correct_1 = hasher.VerifyHashedPassword( identityUser, passwordhash1, "Coding@1234?" );
PasswordVerificationResult password_is_correct_2 = hasher.VerifyHashedPassword( identityUser, passwordhash2, "Coding@1234?" );

    you will get different hashes, but the hash verification succeeds for both of values.

    Therefore a difference between hashes is not unexpected.

    According to public sources, the classes uses random number generators.

    To validate the hashed passwords, I think that you should use VerifyHashedPassword and the appropriate objects instead of string comparison.

    Why do you need equal hashes?