Search code examples
asp.netdjangohashmembershipsha1

Migrating ASP.NET membership users to Django without resetting passwords?

I've got a system that was partially written by someone else and is a complete maintenance nightmare for such a small app. I've finally been given changes which justifies just rewriting the horrible mess so I am moving it to Django.

Before I take the plunge, I've been trying to move over the password hash and salt into the Django auth tables [sha1]$[salt]$[hash] but can't get it to hash properly (resetting passwords isn't really an option).

Here is what I've been able to find out so far:

  • ASP.NET stores the hash as base64 string and uses a base64 salt (before hash)
  • I can obviously reverse the base64 hash to a byte array
  • Django uses a hexdigest, I tried BitConverter.ToString but they hash differently

Am I fighting a losing battle here? Would it be better to write a method in Django to hash as ASP.NET does?

Any help appreciated,

Thomas

Solution

  • The only real options you have here to avoid a password reset in the middle is to:

    1. Write a hash translation algorithm to transfer the Asp.Net hash into the hexdigest hash. Good luck with this one. If you pull it off, write a paper about it.
    2. Rewrite the Django hashing algorithm to hash identically to the Asp.Net algorithm. This one should be the easiest to pull off, but it's still going to have its traps and pitfalls in the process.

    You could also attempt to reverse engineer the passwords, but if you're successful in doing that it sort of makes the hashing algorithm pointless IMO.