How do I check the password entered by the user? BCrypt.HashPassword(password) does not match with BD.AspNetUsers.PasswordHash.

Question

Hello!

I have a website where users register. A user password is saved as a hash in BD.AspNetUsers.PasswordHash.
I have a separate proxy server that needs to verify the password entered by the user from another application.
I connect to the database of the site, try to create a hash of the password entered by the user and try find it in the database.

But this code on the server:

var hashPassword = BCrypt.Net.BCrypt.HashPassword(password);  

...creates a completely different hash of the same password for me.

How do I verify the password entered by the user on the proxy server?
Of course, I can save the real password on the site, but then why store it as a hash?

BCrypt.Net-Next.Strong Name - latest version 4.0.3. Website is on Net.core 6.

Thank you!

Answer 1

ASP.NET Core Identity does not use BCrypt to hash passwords unless you've configured the application to use BCrypt as the hash provider.

https://andrewlock.net/exploring-the-asp-net-core-identity-passwordhasher/

General information
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing?view=aspnetcore-6.0

Source code
https://github.com/dotnet/AspNetCore/blob/main/src/Identity/Extensions.Core/src/PasswordHasher.cs

Answer 2

It would seem that this is a standard simple function in one line, but I can't understand how to check the password by hash with BCrypt. Maybe Net.Core 6 MVC Identity System encrypt the password by other cryptographer and uses, for example user_id or something else? Then what method should I use to compare the password and what should I send there?

Hash passwords in ASP.NET Core

password-hashing