Generate custom PasswordHash with Microsoft.AspNet.Identity

Question

Hi , I'm using VS2022 and I want to override the Default PasswordHash. I want to include when the user is created in the Hash Password the username for example. I found some code  but it is for the Core. And I'm not using the core I have created a  MyCustomPasswordHash which inherits from IPasswordHasher. But it doesn't contain the user. If I override the methods it contains only the passwords. I found the below class but it is only for core. And Not if you are using AspNet.Identity.Owin. Can anyone assist me on this ?Is it possible to modify the above and make it work for Microsoft.AspNet.Identity.Owin ??? 

public class HybridPasswordHasher : PasswordHasher<ApplicationUser> {     private readonly DateTime hybridExpirationDate = new DateTime(2024, 1, 1); // Set your desired expiration date      public override PasswordVerificationResult VerifyHashedPassword(ApplicationUser user, string hashedPassword, string providedPassword)     {         // Check if the current date is before the hybrid expiration date         if (DateTime.UtcNow < hybridExpirationDate)         {             // Try to verify using the custom hashing mechanism             var customVerificationResult = TryVerifyCustomHashedPassword(user, hashedPassword, providedPassword);              // If the custom verification succeeds, return the result             if (customVerificationResult != PasswordVerificationResult.Failed)             {                 return customVerificationResult;             }              // If the custom verification fails, fall back to default mechanism             return base.VerifyHashedPassword(user, hashedPassword, providedPassword);         }          // If the custom verification fails or the hybrid expiration date is reached, use only custom mechanism         return TryVerifyCustomHashedPassword(user, hashedPassword, providedPassword);     }      private PasswordVerificationResult TryVerifyCustomHashedPassword(ApplicationUser user, string hashedPassword, string providedPassword)     {         try         {             // Implement your custom verification logic here             // This involves rehashing the provided password along with the username using SHA-512 and comparing it with the stored hash              // For demonstration purposes, we're using SHA-512. In a real-world scenario, use a proper library for hashing.             string customHashedPassword = HashPassword(user.UserName, providedPassword);             return customHashedPassword.Equals(hashedPassword, StringComparison.OrdinalIgnoreCase)                 ? PasswordVerificationResult.Success                 : PasswordVerificationResult.Failed;         }         catch (Exception)         {             // If an exception occurs during the custom verification, return Failed to indicate fallback to default mechanism             return PasswordVerificationResult.Failed;         }     }      private string HashPassword(string username, string password)     {         using (var sha512 = System.Security.Cryptography.SHA512.Create())         {             byte[] hashedBytes = sha512.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"{username}{password}"));              // Convert the byte array to a hexadecimal string             return BitConverter.ToString(hashedBytes).Replace("-", "");         }     } } 

Answer 1

As owin identity uses an external website for authentication via oauth, it does not need a password hash. You can override the encryption used for tokens, but this is not a hash, nor is the password available.

note: a hash is one way, not sure the advantage of adding the username. You could just prefix the password with the name, before save.