Microsoft Identity password hash is different for the same password

Question

I am using ASP.NET MVC 5 along with microsoft identity.

I have a table called AspNetUsers.

It has a field called "PasswordHash".

i created 2 users with the same password, yet the password hash is different.

Why is that i dont understand how it functions? Does it use the machine key?

What would happen if i deploy my server in the cloud, with the same database.

Would identity password comparison continue to function there also?

This by design for the sake of security. Read this: https://en.wikipedia.org/wiki/Salt_(cryptography) — Ondrej Tucny, Sep 19 '15 at 20:30
so where is the salt, can i change so if i deployon another server, the database password are still valid. — TotalWar, Sep 19 '15 at 20:42

trailmax · Answer 1 · 2018-05-01T16:04:50.523

5

Identity puts password hash and salt in the same field in the database. Password hash is always 32 bytes long and salt is always 16 bytes long. So when it comes to password-validation, Identity always knows what is salt and what is the actual hash. You can verify this by looking on the source code.

And because the salt is always different from one execution to another, password with salt attached will always produce you different hash results.

edited May 01 '18 at 16:04

answered Sep 19 '15 at 22:51

trailmax

34,305
22
140
234

url is not valid anymore – Amr Elgarhy May 01 '18 at 14:40
1

@AmrElgarhy Updated the link. Thanks for the heads-up! – trailmax May 01 '18 at 16:05

Microsoft Identity password hash is different for the same password

1 Answers1