Temporary save password in db ASP.NET Core

Question

I'm developing .NET Core app + Identity. I want to implement user signing up. User enter your data login/password etc. And the next step I need to confirm email and I don't want to create user in db before he confirm email, because I need to create new db for him. I want to save data to temp table in db. And after confirmation I will take data from there and continue with registration and after that remove record from temp table.

But as I see Identity has method userManager.Create(user, password) with password in clear text.

Do I need hash/dehash password algorithm? If yes, then what is it? What is the best approach to store secure password in temp table?

The default implementation of the userManager hashes the password by default and it is never stored or transmitted in cleartext. — Marco, Dec 12 '16 at 08:45

score 2 · Answer 1 · answered Dec 12 '16 at 08:38

2

No you don't need - I will be automatically hashed in the database by UserManager.

In my opinion it's not good idea to create temporary record. Simply create user, mark it as inactive until he will confirm his email. That's the right approach.

answered Dec 12 '16 at 08:38

Dawid Rutkowski

2,658
1
29
36

In my case, after user signed up I need to create new db and then store that new user in new db. And I don't want to create db for all users without confirmation email. – A. Gladkiy Dec 12 '16 at 08:41
In that case maybe concept of some kind "master" database would be a good idea (beside databases dedicated to specific users) – Dawid Rutkowski Dec 12 '16 at 08:45
So, do I need to setup Identity to "master" db, save user there and after confirmation email move data from "master" db to new one? – A. Gladkiy Dec 12 '16 at 08:49
In that case maybe it's good idea - at the beginning I didn't know that you need to create DB per user. Or you can try to override default user store. – Dawid Rutkowski Dec 12 '16 at 08:53
Can I create user without password with Identity. And then simply add PasswordHash to him. Will Identity work fine after that? I mean security stamp etc. – A. Gladkiy Dec 12 '16 at 08:58
Yep, it's possible. Take a look here: http://stackoverflow.com/questions/33813376/creating-users-with-no-password-using-asp-net-identity – Dawid Rutkowski Dec 12 '16 at 09:08
Me too, I want to keep it simple, but I'm worrying about Identity. – A. Gladkiy Dec 12 '16 at 09:09

score 0 · Answer 2 · answered Dec 12 '16 at 08:41

Necessarily you have to use some hash algorithm. Identity uses Password-Based Key Derivation Function 2 (PBKDF2) - wiki. Here is sample hash password method.

public static string HashPass(string pwd)
{
    byte[] salt;
    byte[] bytes;

    using (Rfc2898DeriveBytes rfc2898DeriveByte = new Rfc2898DeriveBytes(pwd, 16, 1000))
    {
        salt = rfc2898DeriveByte.Salt;
        bytes = rfc2898DeriveByte.GetBytes(32);
    }
    byte[] num = new byte[49];
    Buffer.BlockCopy(salt, 0, num, 1, 16);
    Buffer.BlockCopy(bytes, 0, num, 17, 32);
    return Convert.ToBase64String(num);
}

Better idea will be used UserAccount table with some status where you can store status about user account:

public class UserAccount
{
   public int AccountId {  get; set;}

   public UserAccountStatus AccountStatus { get; set; }

}

public enum UserAccountStatus 
{
   Pending = 0,
   UsingTempPassword = 1
   Active = 2
}

For new user I need to create db and store that there, but I don't want to do it for all users. And as I understand I can't dehash password in your case? — A. Gladkiy, Dec 12 '16 at 08:52
In the ASP.NET Core something like that is possible: `userManager.PasswordHasher=new MyPasswordHasher()` — Dawid Rutkowski, Dec 12 '16 at 08:53

score 0 · Accepted Answer · answered Dec 27 '16 at 07:18

So, I did the following:

1) Generate password for user = null (first parameter):

var hashPassword = _passwordHasher.HashPassword(null, command.Password);

2) When user confirm email, I create him with default password that go through password validation settings in Startup.cs class:

_userManager.CreateAsync(user, "123456");

3) Update PasswordHash column and user with value from step 1:

user.PasswordHash = command.PasswordHash;
_userManager.UpdateAsync(user);

user7270881 · Answer 4 · 2016-12-12T10:45:19.190

The best I think is SHA1 hash algorithm, it is 128 bit by standard. I remember when I did my PHP thesis using it :). It is the most secure of all.

Use Forms Authentication ( https://msdn.microsoft.com/en-us/library/t8yy6w3h.aspx ):

<configuration>
<connectionStrings>
     <add name="SqlServices" connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial Catalog=aspnetdb;" />
</connectionStrings>
<system.web>
  <authentication mode="Forms">
    <forms loginUrl="login.aspx" />
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
  <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
  <providers>        
    <add name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="SqlServices"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="false"
      passwordFormat="Hashed"
      applicationName="/" />
  </providers>
</membership>
</configuration>
</system.web>

U just change the instance name and the login page. The default hash alg. is SHA1 and it changes to HMACSHA256 or SHA256 in the .NET 4.0 Framework. U can override it:

<membership
    defaultProvider="provider name"
    userIsOnlineTimeWindow="number of minutes"
    hashAlgorithmType="SHA1">
    <providers>...</providers>
</membership>

You can specify the greatest SHA your .NET version supports, for .NET 4 and latest is SHA512, but the default value must be ok.

To add yours you can read here (it is just a .dll to be configured in machine.config or possibly also in web.config, if u don't want to use it globally):

https://msdn.microsoft.com/en-us/library/693aff9y.aspx

Use Membership.Validate to validate the user at log-on.

If you use the new MVC thing that came 2013 there is UserManager u simply implement your User that holds the email, that's all, it must be IUser. There is a method UserManager.CreateUser(TUser user, string password)

The membership provider and asp.net identity (which is what the OP is using) are 2 very different and incompatible frameworks for managing users. — Igor, Dec 12 '16 at 10:05
SHA1 is considered fundamentally broken. It is certainly not the "most secure of all" and it borders on negligence to recommend it so strongly. — Richard Szalay, Dec 27 '16 at 08:20

Temporary save password in db ASP.NET Core

4 Answers4