8

Currently it seems default is set to PasswordHasherCompatibilityMode.IdentityV2 which is HMAC-SHA1 in ASP.NET 5. I tried to create a instance of PasswordHasherOptions to add to services (DI) but could not get it to work.

V3 uses PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.

I hope this would be as easy as some configuration setting in future rather than having to implement custom implementation since all the code is already there.

Update:

services.Configure<PasswordHasherOptions>(options => options.CompatibilityMode = PasswordHasherCompatibilityMode.IdentityV3);

SamJackSon
  • 1,071
  • 14
  • 19
  • How did you tried to register the `PasswordHasherOptions`. Mind posting your `Configure` and `ConfigureServices` methods? – Tseng Apr 04 '16 at 07:41

1 Answers1

6

The default shouldn't be V2, the default is the newer format, as you can see in https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/PasswordHasherOptions.cs 

    /// <remarks>
    /// The default compatibility mode is 'ASP.NET Identity version 3'.
    /// </remarks>
    public PasswordHasherCompatibilityMode CompatibilityMode { get; set; } = 
           PasswordHasherCompatibilityMode.IdentityV3;

If the first byte of the hashed password is 0x01 then it's a version 3 hash.

If you're seeing 0x00 then either it's configured elsewhere in your code, or there's a bug, in which case please log it on GitHub.

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • Thanks, that seems to be the case. I will check that & get back. – SamJackSon Apr 05 '16 at 01:15
  • Sorry, I could not yet figure out how to confirm if it is in-fact V3, I tried to set mode to `PasswordHasherCompatibilityMode.IdentityV2` in `Startup.ConfigureServices` but it is still generating hash of the same length, any pointers? – SamJackSon Apr 08 '16 at 05:38
  • Unless you can tell me which version of identity you're using there's not exactly a lot I can do here. What's the first byte in each stored password? – blowdart Apr 08 '16 at 12:16
  • Additional question - what size are you expecting? The format for v3 is Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey }. Each UInt32 is 4 bytes. So what's the actual salt length in a stored password? – blowdart Apr 08 '16 at 13:07