0

I am using ASP.NET Identity for membership in MVC5 and have a page for the admin user to manage users and roles. I am trying to allow the admin to change the password for any other user if he needs to do so. I am using this code to perform the task:

userManager.RemovePassword(userId);
userManager.AddPassword(userId, newPassword);

Seems simple enough, but when I try to login with the new password I just created, I can't; I get the invalid password message.

I tried to investigate this issue further by trying to find out how it hashes passwords and discovered this:

string hashed = userManager.PasswordHasher.HashPassword("some password");

Firstly, I am assuming this password hasher is what AddPassword() is using internally. Secondly, I noticed that each time I run HashPassword('some password'), I get a completely different hash returned to me.

I don't get it...

Matt
  • 6,787
  • 11
  • 65
  • 112
  • HashPassword uses a salt value to randomize the hash, which is why you get a different value each time youc all HashPassword. The salt value makes it impossible for attackers to use dictionary attacks if they get ahold of the hashed password to find out the unhashed version. This salt value is used again when validating the password. – Erik Funkenbusch Oct 08 '14 at 04:26
  • @ErikFunkenbusch OK fair enough, but what the heck is going on that I can't login with the password which I passed to `AddPassword()` ? – Matt Oct 08 '14 at 12:07

1 Answers1

-1

Alright, I found the problem, it's because of the following line of code in the AccountController:

var user = await UserManager.FindAsync(model.Email, model.Password);

What's happening here is that FindAsync requires a username, not an email and with the user I was testing, the username and email were different.

I wondered if maybe I changed the code in the Login action to pass in the email address and didn't remember... so I created a new MVC5 project and used Nuget to updated to the latest version... well, it looks like that's a bug! Yes, the default implementation actually passes in the email address to FindAsync. Obviously this is because when you register a new user, it sets up the username to be the email address (so they are the same and it doesn't matter). However, they didn't take into account the fact that someone may want to change their username!

Solved!

Matt
  • 6,787
  • 11
  • 65
  • 112