Create Password and Passwordsalt

Question

I have an existing table that has 100 users and passwords. The data type is a varchar. I just created an asp.net mvc application and I want to convert the password to aspnet_membership table.

How do I convert varchar password on SQL level as "Password" and "Passwordsalt" in aspnet_membership table?

Answer 1

Password & PasswordSalt part are not processed and created at "SQL Level" If you look closely to the asp.net membership database - tables / stored procedures / other objects. Then you will find that there are two stored procedures (sp for short) to create User in asp.net membership database tables.

1. aspnet_Membership_CreateUser
2. aspnet_Users_CreateUser

These sps will create user entry in aspnet_Membership & aspnet_Users table respectively. ASP.Net membership works on the web.config file settings that you setup. An example default webconfig entry will something like this:

<authentication mode="Forms"> // If you are using Form authentication
  <forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>

<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
         enablePasswordRetrieval="false" passwordFormat="Encrypted" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
         maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
         applicationName="/" />
  </providers>
</membership>

In this settings section the attribute "passwordFormat" sets the way your user password is stored. Options are - Clear (0), Hashed (1), Encrypted (2)

By default it will be having hashed value - or if u have not specified passwordFormat.

In clear text the password will be saved as - Text clear - readable.

With the Hashed option the password will not be (Encrypted), only encoded using a Hashing alogorithm

With the Encrypted option the password will be Encrypted and then encoded.

Encrypted option u specifies a non-auto generated "machine key" To get one see: Get a non-autogenerated machine key

Password salt is a randomly generated string which is used to Encrypt and encode the password along with the Validation & Decryption Key.

If you want to overide the encryption method of asp.net membership provider and encode youself, (if using custome membership provider), you can do something like this:

private string EncodePassword(byte passFormat, string passtext, string passwordSalt)
{
    if(passFormat.Equals(0)) // passwordFormat="Clear" (0)
        return passtext;
    else{
        byte[] bytePASS = Encoding.Unicode.GetBytes(passtext);
        byte[] byteSALT = Convert.FromBase64String(passwordSalt);
        byte[] byteRESULT = new byte[byteSALT.Length + bytePASS.Length + 1];

        System.Buffer.BlockCopy(byteSALT, 0, byteRESULT, 0, byteSALT.Length);
        System.Buffer.BlockCopy(bytePASS, 0, byteRESULT, byteSALT.Length, bytePASS.Length);

        if(passFormat.Equals(1)) // passwordFormat="Hashed" (1)
        {
            HashAlgorithm ha = HashAlgorithm.Create(Membership.HashAlgorithmType);
            return (Convert.ToBase64String(ha.ComputeHash(byteRESULT)));
        }
        else // passwordFormat="Encrypted" (2)
        {
            MyCustomMembership myObj = new MyCustomMembership();
            return(Convert.ToBase64String(myObj.EncryptPassword(byteRESULT)));
        }
    }
}

Example usage:

    string passSalt = // Either generate a random salt for that user, or retrieve the salt from database if the user is in edit and has a password salt
    EncodePassword(/* 0 or 1 or 2 */, passwordText, passSalt);

I hope this helps.