11

In my ASP.NET applications I have following settings in DefaultMembershipProvider and SqlMembershipProvider in web.config:

enablePasswordRetrieval="true"
passwordFormat="Clear" 
requiresQuestionAndAnswer="false"

They are required for Digest authentication. I would like to move to ASP.NET Identity. I am using automated tool to update all web.config files that I manage.

How do I set these settings for ASP.NET Identity in the project generated by Visual Studio 2013?

Improve this question
3
  • 1
    Password retrieval greatly increases the weakness of an application by requiring two way encryption and then relaying credentials in plain text. Consider implementing password reset tokens via e-mail instead if possible. Commented Nov 13, 2013 at 12:20
  • I am pretty sure this is not possible with Digest auth. Commented Nov 13, 2013 at 15:23
  • I found a 2014 dated article about custom password policy blogs.msdn.microsoft.com/webdev/2014/01/06/… Commented Jun 1, 2016 at 13:01

1 Answer 1

Reset to default
21

You need to provide IPasswordHasher implementation that can provide clear password without hashing. You can set UserManager.PasswordHasher to your implementation.

As of now, there is no web.config configurable settings for Identity. You need to provide appropriate mix of configurable in code, mainly in Startup.cs

It is not recommended to store passwords in clear format.

public class ClearPassword : IPasswordHasher
{
    public string HashPassword(string password)
    {
        return password;
    }

    public PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        if(hashedPassword.Equals(providedPassword))
            return PasswordVerificationResult.Success;
        else return PasswordVerificationResult.Failed;
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The provided password is clear text or hashed (in case we used hashed passwords)?
The example is of the clear text password. You can implement hashing algorithm in HashPassword(string password) function and same way verify it in VerifyHashedPassword function.
Thanks jd4u, but I couldnt get , where to add this class and where to call it?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.