5

I am using a SqlMembershipProvider and storing my passwords as hashed. I am also keeping a history of the (hashed) passwords in another table. I want to be able to compare the password a user tries to change their password to, to their old passwords and throw an error if it was too recent. I do not seem to be able to figure out how to use the hashing functions to do this. Basically what I am looking for is a method like this:

public bool PasswordCompare(string plaintextPassword, string salt, string hashedPassword)
{
    //where the salt and hashedPassword are pulled out of the aspnet_Membership table
    //which are automatically generated by the provider
}

I hope this is clear, thank you.

naspinski
  • 34,020
  • 36
  • 111
  • 167
  • Why not simply put a trigger on the aspnet_Membership table that writes the UserId, Password and the current date and time into another logging table which you would then query for the last five? – Thomas Mar 07 '11 at 22:24
  • @Thomas are you suggestion storing passwords in plaintext? – Wyatt Barnett Mar 08 '11 at 03:20
  • 1
    @Wyatt Barnett - Of course not. You can store the hash (and salt) into a log table and compare the current hash and salt against that list. – Thomas Mar 08 '11 at 05:41
  • That is exactly what I am trying to do, I am storing each hashed password, but how exactly do I compare them? I can't get a hash to line up with an old password even if I put in the exact same password. – naspinski Mar 08 '11 at 15:34
  • What I ended up doing was changing the password, then checking it against the history - if it was a duplicate, changed it back. – naspinski Mar 09 '11 at 18:47

1 Answers1

2

This post has some good info. Looks like you have to:

...implement your own customized MembershipProvider, record the password history and encrypt the password by your self.

SQLMembershipProvider: Comparing Hashed Passwords

rick schott
  • 21,012
  • 5
  • 52
  • 81