PasswordHasher Always Fails Validation RRS feed

  • Question

  • User-1156750444 posted


    I'm implementing a policy where passwords cannot be reused and have the structure in place, however I'm trying to work out how to check this against the PasswordHasher, I always get a failed match.

    I've overridden the ChangePasswordAsync method in the ApplicationUserManager as follows, newPassword is passed in as plain text, hashed and then I attempt to verify against the previous entries.

    public override async Task<IdentityResult> ChangePasswordAsync(string userId, string currentPassword, string newPassword)
                var hashedPassword = PasswordHasher.HashPassword(newPassword);
                using (var databaseContext = new ApplicationDbContext())
                    var history = databaseContext.PasswordHistories.OrderBy(h => h.PasswordCreated).Where(h => h.ApplicationUserId == userId).ToList();
                    foreach (var passwordHistory in history)
                        var pwResult = PasswordHasher.VerifyHashedPassword(passwordHistory.PasswordHash, hashedPassword);
                    if (history.Select(h => h.PasswordHash).Any(p => PasswordHasher.VerifyHashedPassword(p, hashedPassword) == PasswordVerificationResult.Success))
                        return new IdentityResult("Password must be different from the previous 12 used passwords");
                    //Omitted for simplicity

    I thought I might be doing something stupid until I ran a very simple test in the immediate window which consistently returns Failed.

    PasswordHasher.VerifyHashedPassword(PasswordHasher.HashPassword(newPassword), PasswordHasher.HashPassword(newPassword))

    Any ideas?



    Thursday, February 4, 2016 12:48 PM