2

I have an existing site that I want to upgrade to MVC 5. I’d like to take advantage of the new ASP.NET Identity. There doesn’t seem to be a direct way of migrating my existing users i.e. copying passwords and salts to the new database scheme. A previous question I had about this suggested capturing the passwords as users log in and migrating them to the new authentication system one at a time.

For this to work I need to manually authentic the users of the old system. After some googling it seems the following code should work:

public static string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Convert.FromBase64String(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}

But I am having no luck. Here is a password, password hash, and salt from the old membership table:

Password: password
Hash: A1sWiqXLSFx892gfZli5Mn85hZqjW1Vg6BAQ12S7B40=
Salt: Hou1PWslN7MQ+PjFLlW5Xg==
Format: 1

And from web.config:

<membership defaultProvider="DefaultMembershipProvider">
  <providers>
    <clear />
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="Ultra" />
    <add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="Ultra" />
  </providers>
</membership>

Can someone explain what algorithm I should use to manually check this password?

Improve this question
4
  • Can you use Membership.ValidateUser? Commented Dec 5, 2013 at 17:33
  • That’s what I use on the old site. I don’t want to wire up the old membership plumbing on the new site. I thought just manually checking it would be cleaner. The new site uses UserManager.FindAsync() Commented Dec 5, 2013 at 17:41
  • I think that is going to be the easiest way to migrate. Commented Dec 5, 2013 at 17:44
  • Take a look at this QA on wiring up a custom password hasher in ASP.NET Identity [stackoverflow.com/questions/19957176/…. Commented Dec 6, 2013 at 16:46

3 Answers 3

Reset to default
1

I was able to use an algorithm based on this post https://stackoverflow.com/a/19184807/1626624

Here’s the algorithm for hashing passwords.

    public static string EncodePassword(string pass, string salt)
    {
        var passBytes = Encoding.Unicode.GetBytes(pass);
        var saltBytes = Convert.FromBase64String(salt);
        var keyedHashAlgorithm = (KeyedHashAlgorithm)HashAlgorithm.Create("HMACSHA256");
        var keyBytes = new byte[keyedHashAlgorithm.Key.Length];
        var num1 = 0;

        while (true)
        {
            if (num1 >= keyBytes.Length)
            {
                break;
            }

            var num2 = Math.Min(saltBytes.Length, keyBytes.Length - num1);

            Buffer.BlockCopy(saltBytes, 0, keyBytes, num1, num2);
            num1 = num1 + num2;
        }

        keyedHashAlgorithm.Key = keyBytes;

        return Convert.ToBase64String(keyedHashAlgorithm.ComputeHash(passBytes));
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

MembershipUser user = Membership.Provider.GetUser(Txtboxemail.Text, false); if (Membership.ValidateUser(Txtboxemail.Text, pass.Text)){}

May be you are in need of this

Improve this answer

Comments

0

Try using the tutorial Migrating an Existing Website from SQL Membership to ASP.NET Identity. It has even details on password hashing.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.