I have an MVC website using asp.net identity 2.0 for authentication. i am also developing a REST API for same DB for android mobile app. i want to use identity 2.0 hashed password for authentication in REST API, but plain password must not be sent from android app. Android app must hash the password same way as identity 2.0 user manager does so then i can compare password sent from android app and password present in AspNetUsers table. Problem is that i can not find any implementation or guidelines to implement PasswordHasher of identity 2.0 in Java/Android.
Here is the c# code of identity 2.0 PasswordHasher https://raw.githubusercontent.com/aspnet/Identity/5480aa182bad3fb3b729a0169d0462873331e306/src/Microsoft.AspNetCore.Identity/PasswordHasher.cs
Please help i am stuck since last two days..
Hashing password on the client is a bad idea. How does it make it better then sending just a password in plain text? If MiTM attacker gets the hashed password - he gets all he needs to login into your system. Yes, you are not transmitting the original password, but you are transmitting hash that effectively becomes a password and you store the plain text hash of the password in the database anyway.
Also what about salt? In Identity framework salt is stored in the same field as the hash - they are appended one to another. If you run PasswordHasher.HashPassword() 10 times on the same string, you'll get 10 different results, because this result already include salt. If you try to run this on client, you'll be getting different string every time and you won't be able to compare to hash/salt already stored in your DB. So you'll have to pass salt somehow from the server to be able to hash with the same salt. This makes it overly complex and prone to be done incorrectly.
Don't try to invent security systems yourself. Pass username/password in plain-text over encrypted connection and let the framework do the hashing/persisting for you.