stackoom
  简体   繁体   中英

Storing and comparing multiple passwords with ServiceStack

 原文  2019-09-05 13:50:34       c#/ authentication/ passwords/ servicestack/ password-hash

Question

I'm attempting to create a password expiration function in my application. Passwords are already set up as well as authentication and changing passwords. Now I want to prompt the user to change their password after x amount of time.

When the user goes to change their password and my Angular frontend makes that request I want my C# Service Stack API to compare the given new password with the current password and the password before that to check for duplication.

I'm not worried about slight variations. If the user submits the same password but with one extra character for example, that's fine. I want to be an simple as possible to start.

The passwords are stored in a MS SQL Server in two columns Salt varchar(8000) and PasswordHash varchar(8000) . I've got everything set up I'm just very confused on how to compare the hashed password with the string provided by the User. Then save the old password in a new hashed column. I've been searching the web and SOF for three days now and I haven't found anything. Any guidance would be greatly appreciated.

1 answers

solution1
 1 ACCPTED  2019-09-05 15:09:52

Following on @Fildor comment, you'll need to create an audit history of password changes containing the hashes of existing passwords. From ServiceStack v5+ ServiceStack switched to use the same PBKDF2 password hashing algorithm ASP.NET Identity v3 uses which stores the password hash + salt + iterations + algorithm version in a single PasswordHash field on UserAuth table, so your password audit history table only needs a single column to store the existing password hash.

The password hashing algorithm is available from the IPasswordHasher dependency, which you can use in your Service implementation like:

public IPasswordHasher PasswordHasher { get; set; }

public object Any(AllowPassword request)
{
    var passwordHashes = MyRepo.GetExistingUserPasswords(GetSession().UserAuthId);
    foreach (var passwordHash in passwordHashes)
    {
        if (PasswordHasher.VerifyPassword(passwordHash, request.Password, out var neeedsRehash)
            throw new ArgumentException("Can't use existing password", nameof(request.Password));
    }

    return new AllowPasswordResponse();
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Comparing hash passwords Storing Windows passwords Best method for securely storing passwords Best practice for storing passwords for automation ServiceStack validation for multiple properties ServiceStack multiple routing paths Comparing Encrypted Passwords in Database and User Input With Encrypto SecureString for storing in memory and presenting passwords? Or something else? Best Practice for Storing and Updating External API Passwords Best practice for storing passwords that need to be reused?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM