Hey guys.

I have an application that was originally written in PHP using a SQL Server backend. All the user account passwords were stored in a MD5 Hash. The application has been rewritten completely in ASP (C#) still using a SQL Server backend.  I want to import the old users accounts (usernames,passwords,etc) into the new database. The problem is that I cant get ASP to just use straight up regular MD5 when creating new accounts and authenticating new and old accounts. There is a salt (tried making that null, still no go) and a passwordFormat [1 | 2 | 3] column as well. I've messed with everything. Even if you choose MD5 it still gets salted.

 
I was hoping to do this at the Membership level and not mess with each login form or anything. Let me know what you guys think.

 
Thanks.

.maple.
 

I could be wrong but I think you may run into problems with MD5 in SQL Server so run some tests, try the thread below for a related topic. I think MD5 depends on hash this link explains it and it is buried in the thread I posted.  Hope this helps.

http://www.obviex.com/Resources/Samples.aspx

http://forums.asp.net/thread/1339646.aspx

Hey Caddre,

Thanks for the quick reply. I dont see how there could be a problem. sql server is just soring a string (the md5 hash). These passwords are just stored in SQL for authentication against the application, not used for authentication to SQL Server itself.

I thought of something else as well. Is there a way that I could use asp to salt my current md5 passwords and return me the $salt and the $saltedhash. then i could just plug those in for the old users and just move forward.

any thoughts? 

All that is covered by Microsoft in 1.1 in the link below code and create table statement included and it is actually a PDF book you can download from MSDN.  Hope this helps.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp