.netasp.net-coreasp.net-identityidentityasp.net-core-identity

Difference in hashing algorithms of .Net Identity and .Net Core Identity


I have two projects with .Net Framework and .Net Core, both use same database.

The database has user details for login and role management and that's done in .Net Identity and .Net Core Identity respectively.

When logging in, both application's UserManagers are fetching user with the entered email, but I get incorrect password on one application.

So I want to know whether is there any difference in choice of password hashing algorithm in .Net Identity and .Net Core Identity.


Solution

  • Checking this blog post, it would appear that the default algorithms are indeed different

    The default implementation in the Identity framework is the PasswordHasher class (source code). This clas[sic] is designed to work with two different hashing formats:

    • ASP.NET Identity Version 2: PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1,000 iterations
    • ASP.NET Core Identity Version 3: PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10,000 iterations

    Emphasis mine

    Although they both use PBKDF2 there are some subtle differences