locked
SQLMembership to Identity 2.0 - old encrypted passwords RRS feed

  • Question

  • User1072303328 posted

    I've migrated a SQLMembership database into an Identity 2.0 database.

    My old database used encrypted passwords. My identity 2.0 implemenation will use hashed password.

    My SQL script inserted into the new PasswordHash field using this:

    (aspnet_Membership.Password+'|'+CAST(aspnet_Membership.PasswordFormat as varchar)+'|'+aspnet_Membership.PasswordSalt)

    I then override the VerifyHashedPassword method to Split('|') it up.... if it splits into three parts it's an old password.

    I need a method to encrypt the password being attempted to compare it to the old aspnet_Membership.Password. Not sure how to do this. As you see I have the old salt and the old hashed password. 

    If the password is correct, I then approve the authentication and reset the password using the new format.

    Alternatively, if I could unencrypt and re-hash the passwords in my SQL script... that would probably be easier?

    I hope this makes sense.

    Wednesday, May 7, 2014 6:23 PM

All replies

  • User-734925760 posted

    Hi,

    According to your description, you want to migrate a SQLMembership database into an Identity 2.0 database. So far as I know, you first need to create a custom ApplicationUser that has the same properties as your UserProfile in SimpleMembership.

    As the  password is encrypted, so we must try to decrypt the password, then we can try to use HashPassword function.

    For more information about Migrating an Existing Website from SQL Membership to ASP.NET Identity, please refer to the links below:

    http://kevin-junghans.blogspot.com/2014/02/migrating-existing-website-from.html

    http://msdn.microsoft.com/en-us/library/system.web.helpers.crypto(v=vs.111).aspx

    Hope it's useful for you.

    Best Regards,

    Michelle Ge

    Thursday, May 8, 2014 6:32 AM
  • User1072303328 posted

    Hmm... getting closer. I think I need to simplify my explanation:

    Here an example of what I am trying to accomplish:

    https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/UniversalProviders-Identity-Migrations/UniversalProviders-Identity-Migrations/IdentityModels/UserManager.cs

    In the last else statement of the EncryptPassword method I see this:

    else {
    
    byte[] bAll = new byte[bSalt.Length + bIn.Length];
    
    Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
    
    Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
    
    // bRet = EncryptPassword(bAll, LegacyPasswordCompatibilityMode);
    
    }


    So, I've moved all my users to Identity 2.0, but the old users need to still be able to login with thier legacy passwords.

    Their password will get to this logic... but as you can see, the EncryptPassword bit is commented out. Not sure why they didn't finish the example...

    It's this bit of logic I'm trying to figure out. As a newbie to encryption, I think i have to use the salt, pass then the machinekey to get it encrypted. Then once it's encrypted I can compare it to the legacy passwordHash to verify it matches.

    If I can get that working, I'll go further and on a successful login reset the password using the new hashing in Identity 2.0.

    Thursday, May 8, 2014 4:43 PM
  • User1072303328 posted

    I ended up implementing my own Membership Provider... which decrypts and compares the password successfully.

    I then compare and return PasswordVerificationResult.SuccessRehashNeeded... but I don't think the automatic rehash is implemented yet.

    Thursday, May 8, 2014 6:50 PM
  • User597094073 posted

    Hi Mytrilife


    I'm trying to create identity 2.0 users in a SQL job.

    During your search for answers, did you perhaps come across any information on how the passwordhash column is encoded?

    Any information you have would be great, thanks.

    Monday, July 28, 2014 6:53 AM