I have some questions on the MembershipProvider in .Net that I have been unable to find clear answers to.
- What type of encryption is used, AES?
- The method EncryptPassword, can it handle any salt, or do I simply add that before passing it?
- The method DecryptPassword - can you really decrypt the password? Isn't that a poor practice to be able to do?
Thank you for the input!
add Element for providers for membership (ASP.NET Settings Schema)
-
enablePasswordRetrieval attribute: "Specifies whether the membership provider instance supports password retrieval. If true, the membership provider instance supports password retrieval The default is false for both the SQL and Active Directory providers."
-
passwordFormat attribute: "One of the MembershipPasswordFormat values that indicates the format for storing passwords in the membership data store. The default is Hashed."
-
Hashed: "Passwords are encrypted one-way using the SHA1 hashing algorithm.
You can specify a hashing algorithm different than the SHA1 algorithm using the hashAlgorithmType attribute."
-
Encrypted: "Encrypted Passwords are encrypted using the encryption settings determined by the machineKey Element (ASP.NET Settings Schema) element configuration."
So, by default the SqlMembershipProvider uses a hashed (one-way) password that is hashed with SHA1. Hashing the passwords doesn't use the EncryptPassword/DecryptPasswords methods, but no, you cannot manually pass salts to Encryption/Encoding of passwords (it salts them for you).
Menu
538
