1

I can't find the way to disable automatic hash password for identity .net core. Because this code hashes the password automatically:

var result = await _userManager.CreateAsync(user, model.Password);
Improve this question
8
  • 4
    And why would you want to disable it? Passwords should always be hashed. Commented May 29, 2017 at 14:06
  • Do you really want to expose all your passwords to hackers and become the next public data breach ? Are you sure your company can survive this? Commented May 29, 2017 at 14:18
  • 1
    Final comment - hackers read SO too, because they know that insecure questions and answer will end up into production code. Commented May 29, 2017 at 14:24
  • 4
    @DmitryVasilyukJust3F no, it's not "just customer requirement". It's a customer death wish. Make sure you get them to understand that password reset guarantees a data breach and get them to sign that they won't hold you responsible in that case, that they take full legal responsibility - including against criminal charges. Using such insecure practices knowingly is a very bad idea. Look around for a good lawyer anyway, just in case Commented May 29, 2017 at 14:26
  • 3
    I hate when someone asks a valid question and the community just dumps on them instead of answering the question. Is it a good idea? No, in most cases not. Doe the OP have a valid reason for asking? Up to them. But it's exceedingly unhelpful to attack and criticize them when you have no idea what the reason behind it is. I actually found this looking for the same thing. There is a valid reason behind my desire to do this (it's a private company, non-internet site and they use a simple PIN code that does not need to be hashed). Could it be? Yes. Should it be? Maybe. Must it be? No. Commented Feb 22, 2019 at 17:02

2 Answers 2

Reset to default
7

Since Asp.NET Core MVC uses dependency injection to setup the Identity, all you need is just create your alternate of password hashing class:

public class CustomPasswordHasher : IPasswordHasher<AppUser>
{
    public string HashPassword(AppUser user, string password)
    {
        return password;
    }

    public PasswordVerificationResult VerifyHashedPassword(AppUser user, string hashedPassword, string providedPassword)
    {
        return hashedPassword.Equals(providedPassword) ? PasswordVerificationResult.Success : PasswordVerificationResult.Failed;
    }
}

and add:

services.AddScoped<IPasswordHasher<AppUser>, CustomPasswordHasher>();

in you mvc app statup.cs

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

5

You could write a class that overwrites UserManager

public class ApplicationUserManager : UserManager<IdentityUser>
{
    public ApplicationUserManager(IUserStore<IdentityUser> store)
        : base(store)
    {
        this.PasswordHasher = new CustomPasswordHasher();
    }

    public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)
    {
        var manager = new ApplicationUserManager(new UserStore<IdentityUser>(context.Get<ApplicationDbContext>()));         

        manager.PasswordHasher = new CustomPasswordHasher();
    }
}

And then override PasswordHasher with a new custom hasher class that inherits PasswordHasher.

internal class CustomPasswordHasher : PasswordHasher
{
    public override string HashPassword(string password)
    {
        return password;
        //return Crypto.Sha1.Encrypt(password);
    }

    public override PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        //var testHash = Crypto.Sha1.Encrypt(providedPassword);
        return hashedPassword.Equals(testHash) || hashedPassword.Equals(providedPassword) ? PasswordVerificationResult.Success : PasswordVerificationResult.Failed;
    }
}

Finally, remember, by doing that you're going to lose your database user's safety.

Improve this answer

5 Comments

i know about security. its need just for customer. Have some trouble with your code. Didn't see this class: IdentityFactoryOptions and IOwinContext.
@DmitryVasilyukJust3F your customer is already in a hacker's list. It's not that difficult to track an SO account name back to a company and its customers. If you insist in disabling password security, make ABSOLUTELY certain that the customer releases you from any responsibility in case of a data breach. Is an insecure password reset mechanims that valuable to them?
Maybe it's missing some namespace reference.. msdn.microsoft.com/en-us/library/dn613282(v=vs.108).aspx
Great solution... about to implement myself. Thanks!
it might be worth mentioning that this works with plain .net (just did it with 4.7.2)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.