How does the Password and SecurityStamp work?
JoshSimerman opened this issue · 2 comments
And more specifically, is it configurable? Can you configure a work factor to control how difficult the hash function will be? That would really nice, but alternatively would be to mix in a library to override the password hashing functions.
http://codahale.com/how-to-safely-store-a-password/
http://www.troyhunt.com/2012/07/stronger-password-hashing-in-net-with.html
The password hasher is pluggable in the UserManager so you can plug in your own.
In 2.0.0-alpha1 we are using the securityStamp to implement SignOut from everywhere. More details are http://blogs.msdn.com/b/webdev/archive/2013/12/20/announcing-preview-of-microsoft-aspnet-identity-2-0-0-alpha1.aspx.
Copied the relevant portion below
Security Token Provider
Support a way to regenerate the Security Token for the user in cases when the User changes there password or any other security related information such as removing an associated login(such as Facebook, Google, Microsoft Account etc). This is needed to ensure that any tokens generated with the old password are invalidated. In the sample project, if you change the users password then a new token is generated for the user and any previous tokens are invalidated. This feature provides an extra layer of security to your application since when you change your password, you will be logged out from everywhere (all other browsers) where you have logged into this application.