I work in Blazor Server web app with user identity on .NET Core 7 and VS 2022.
I have an issue comparing password for user identity hasher.HashPassword and userManager.CreateAsync.
I do not get the same password hash as exists in the database although password hash for identity and hash password from C# manually for same password Coding@1234? and same user AElaziz.
Meaning hashing password manually does not return the same password hash in table [dbo].[AspNetUsers] in column PasswordHash.
var hasher = new Microsoft.AspNetCore.Identity.PasswordHasher<IdentityUser>();
IdentityUser identityUser = new IdentityUser(userDto.UserName);
var passwordhash = hasher.HashPassword(identityUser,"Coding@1234?");
This returns:
AQAAAAIAAYagAAAAEEAB/n7ETqnh3v5tHIT+VMG6FeIjTgKG5WUyLbeoI+aR3dpaj5SvQYKyYgvoIgWuaw==
When creating a new user for identity table:
var newUserResponse = userManager.CreateAsync(newUserIdentity, "Coding@1234?").Result;
from SQL Server profiler
exec sp_executesql N'SET IMPLICIT_TRANSACTIONS OFF;
SET NOCOUNT ON;
INSERT INTO [AspNetUsers] ([Id], [AccessFailedCount], [ConcurrencyStamp], [Email], [EmailConfirmed], [LockoutEnabled], [LockoutEnd], [NormalizedEmail], [NormalizedUserName], [PasswordHash], [PhoneNumber], [PhoneNumberConfirmed], [SecurityStamp], [TwoFactorEnabled], [UserName])
VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13, @p14);
',N'@p0 nvarchar(450),@p1 int,@p2 nvarchar(4000),@p3 nvarchar(256),@p4 bit,@p5 bit,@p6 datetimeoffset(7),@p7 nvarchar(256),@p8 nvarchar(256),@p9 nvarchar(4000),@p10 nvarchar(4000),@p11 bit,@p12 nvarchar(4000),@p13 bit,@p14 nvarchar(256)',@p0=N'1a6d8e1d-05d1-4c68-985a-8b83fd472f3b',@p1=0,@p2=N'3b8af492-3dee-4c18-966e-ac934915ab35',@p3=NULL,@p4=0,@p5=1,@p6=NULL,@p7=NULL,@p8=N'AELAZIZ',@p9=N'AQAAAAIAAYagAAAAEDKDbDHoCo6hfP+umfKko/M8mcPnfx28LY3DAcf/Ufo0NhdDoq+CYuS/F5ChuFxcOA==',@p10=NULL,@p11=0,@p12=N'5TGBDLYFF3IXFGI4UDOMYG4OC63P7QC4',@p13=0,@p14=N'AElaziz'
Why is the password hash not the same? Password hash in table [dbo].[AspNetUsers] although both for same password
How to solve this issue?
The hash that is stored is a salted hash, meaning there is random data added before hashing. So a new hash produces a different result.
So you cannot re-hash a clear text password and compare that against the value in the database.
What you should do is get the hashed password from the database (by just the username, ignoring the password for now) and use VerifyHashedPassword to see if there is a match.
Note that this gives an enum result (PasswordVerificationResult) that also has the value SuccessRehashNeeded:
Indicates password verification was successful however the password was encoded using a deprecated algorithm and should be rehashed and updated.
Use the clear text password you still have at this point to calculate (and store) a new hash that is calculated using an updated algorithm.