none
Asp.net Identity password hashing algorithm RRS feed

  • Question

  • In the new membership system what hashing algorithm is used for password hashing? can't find it in the documentation

    Wednesday, November 20, 2013 9:24 AM

Answers

  • ASP.NET Identity isn't a single password system.  It is completely dependent upon the provider you're using.  The AD provider, for example, doesn't do anything with passwords as it just bounces of Win auth.  The cert provider doesn't need a password either.  The social providers use whatever algorithm they have decided upon.  The MS-specific implementation (that is equivalent to the old Membership API) ultimately appears to rely on Rfc2898DerivedBytes.  But the new Identity system is extensible so the password hash could be swapped out for the MS provider, in theory.

    Michael Taylor
    http://msmvps.com/blogs/p3net

    • Marked as answer by asblom Thursday, November 28, 2013 8:26 AM
    Friday, November 22, 2013 3:27 PM
    Moderator

All replies

  • Hi Asblom,

    You could find answer in this page. http://stackoverflow.com/questions/1137368/what-is-default-hash-algorithm-that-asp-net-membership-uses

    By the way, I think this thread is specific to ASP. NET forum. This form is to discuss problems about CLR development. If you have question about ASP. NET, please post a new thread on that forum for more effective response. http://forums.asp.net/.

    Best Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, November 21, 2013 8:31 AM
    Moderator
  • Hello Hetro,

    Thanks for the reply, but that answer is not about the new asp.net Identity framework. It's describing the last (and outdated) membership provider.

    It's a core .net framework question that's why i posted it here. But i will take your advise and create a thread there also. 

    Regards,

    Thursday, November 21, 2013 8:49 AM
  • ASP.NET Identity isn't a single password system.  It is completely dependent upon the provider you're using.  The AD provider, for example, doesn't do anything with passwords as it just bounces of Win auth.  The cert provider doesn't need a password either.  The social providers use whatever algorithm they have decided upon.  The MS-specific implementation (that is equivalent to the old Membership API) ultimately appears to rely on Rfc2898DerivedBytes.  But the new Identity system is extensible so the password hash could be swapped out for the MS provider, in theory.

    Michael Taylor
    http://msmvps.com/blogs/p3net

    • Marked as answer by asblom Thursday, November 28, 2013 8:26 AM
    Friday, November 22, 2013 3:27 PM
    Moderator