I have two projects with .Net Framework and .Net Core, both use same database.
The database has user details for login and role management and that's done in .Net Identity and .Net Core Identity respectively.
When logging in, both application's UserManager
s are fetching user with the entered email, but I get incorrect password on one application.
So I want to know whether is there any difference in choice of password hashing algorithm in .Net Identity and .Net Core Identity.
Checking this blog post, it would appear that the default algorithms are indeed different
The default implementation in the Identity framework is the PasswordHasher class (source code). This clas[sic] is designed to work with two different hashing formats:
- ASP.NET Identity Version 2: PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1,000 iterations
- ASP.NET Core Identity Version 3: PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10,000 iterations
Emphasis mine
Although they both use PBKDF2 there are some subtle differences