Geek Answers Handbook

Convert a simple password to EF Asp.Net Identity PasswordHash

I have a project in which we need to transfer many users who have their password in plain text to a new database, where we will enter the password.

The new system uses the Entity Framework and needs to be authenticated using the Identity Asp.Net infrastructure.

I found that I can generate the correct hashed password in C #, which the Entity Framework can read without problems.

public static string HashPassword(string password) { byte[] salt; byte[] buffer2; using (var bytes = new Rfc2898DeriveBytes(password, 0x10, 0x3e8)) { salt = bytes.Salt; buffer2 = bytes.GetBytes(0x20); } byte[] dst = new byte[0x31]; Buffer.BlockCopy(salt, 0, dst, 1, 0x10); Buffer.BlockCopy(buffer2, 0, dst, 0x11, 0x20); return Convert.ToBase64String(dst); }

Is there something similar in SQL that I could use in an INSERT statement from SELECT to another table?

+5
source share
1 answer

Not built-in, hashing is intense and usually the operation you want to avoid on the database server, I understand that migration is not a normal operation. The solution depends a bit on why you want to run SQL.

If this is because of simplicity, I would look at something like this question. Is there an SQL implementation for PBKDF2?

If this is due to performance, I would think about just building a small .net migrator and using bulk insert / update. For example, with https://github.com/MikaelEliasson/EntityFramework.Utilities#batch-update-entities you could only read UserId and a plain text password with highlighted. Hash it in .net and then update the database by one volume, possibly more than 100,000 updates / second.

Now two small warnings. Make sure that you do not use text passwords in the transaction log. Suppose that you have hashed the original database before it is in the new one. Otherwise, it is possible to clear the transaction log after the initial import. How do I delete the SQL Server transaction log?

Instead of writing the hash method yourself, you can use PasswordHasher, which by default uses the Asp.net identifier. He, in turn, uses Rfc2898DeriveBytes. See This Answer fooobar.com/questions/57861 / ...

+3
source

More articles:


All Articles