4

I'm building an application that uses a dotnet core API and identity core for user management. I was investigating my database and panicked when I saw that all strings in the PasswordHash field started with the same characters: AQAAAAEAACcQAAAAE, as I thought salting wasn't working properly. I realize now that salting is indeed working properly, as the rest of the password hash changes with every password, but now I'm curious about this mysterious prefix.

What does this password hash prefix used for in identity core?

Chase
  • 91
  • 1
  • 7
  • 2
    The password isn't just a password. It's has the password algorithm version, a salt, a hash etc. Your question could probably be answered by [ASP.NET Identity's default Password Hasher - How does it work and is it secure?](https://stackoverflow.com/questions/20621950/asp-net-identitys-default-password-hasher-how-does-it-work-and-is-it-secure). – Erik Philips Oct 30 '19 at 21:53
  • Interesting. So in absence of a PasswordSalt field, identity core stores information about how the password was hashed in the first 17 characters of the password hash? It seems to me that those characters shouldn't always be the same since the salt is randomly generated. – Chase Oct 30 '19 at 22:04
  • 2
    When you look at the v3 version, the first 13 bytes store some settings that are more or less constant. That means the first 16 base64 chars will be stable. The Salt starts at 13. – Henk Holterman Oct 30 '19 at 22:11
  • 2
    @Chase the goal was to keep passwords compatible across many systems of storage (sql server, my sql, no sql etc) without the need for other custom columns (salt, timestamp etc). This also means there is forward compatibility with Identity Version X. – Erik Philips Oct 30 '19 at 22:40

0 Answers0