Hi,
I'm implementing a policy where passwords cannot be reused and have the structure in place, however I'm trying to work out how to check this against the PasswordHasher, I always get a failed match.
I've overridden the ChangePasswordAsync method in the ApplicationUserManager as follows, newPassword is passed in as plain text, hashed and then I attempt to verify against the previous entries.
public override async Task<IdentityResult> ChangePasswordAsync(string userId, string currentPassword, string newPassword)
{
var hashedPassword = PasswordHasher.HashPassword(newPassword);
using (var databaseContext = new ApplicationDbContext())
{
var history = databaseContext.PasswordHistories.OrderBy(h => h.PasswordCreated).Where(h => h.ApplicationUserId == userId).ToList();
foreach (var passwordHistory in history)
{
var pwResult = PasswordHasher.VerifyHashedPassword(passwordHistory.PasswordHash, hashedPassword);
}
if (history.Select(h => h.PasswordHash).Any(p => PasswordHasher.VerifyHashedPassword(p, hashedPassword) == PasswordVerificationResult.Success))
{
return new IdentityResult("Password must be different from the previous 12 used passwords");
}
//Omitted for simplicity
}
}I thought I might be doing something stupid until I ran a very simple test in the immediate window which consistently returns Failed.
PasswordHasher.VerifyHashedPassword(PasswordHasher.HashPassword(newPassword), PasswordHasher.HashPassword(newPassword))
Any ideas?
Thanks
Stuart