What algorithm is being used for encryptpassword/decryptpassword method of System.Web.Security.MembershipProvider?

If I want to use Rijndael algorithm, do I have to implement it myself? 

Hi

I think you will need a custom membership that extends from the base membership class, create you own EncryptPassword/DecryptPassword method. This is the actual code that is executed in default SQLmembership provider.

internal string EncodePassword(string pass, int passwordFormat, string salt)
{
    if (passwordFormat == 0)
    {
       ...
    }
 
    if (passwordFormat == 1)
    {
      ...
    }
    else //encrypted password format
    {
        inArray = this.EncryptPassword(dst);
    }
    return Convert.ToBase64String(inArray);
}
 
So, you need to override the EncryptPassword method if you want to implement your own encryption, Similarly, decryption.

 thanks for replying.

another question is if all the asp.net application uses the same key for membership encryptpassword/decryptpassword method by default no matter where you run the application? because I couldn't find any settings for encryption/decryption key and machineKey area in web.config file only applies for hash not encryption/decryption.

Hi

Here is the answer from the MSDN article

Quotes:

If you use the membership feature, password hashes are stored in the membership database by default. The membership system also supports encrypted passwords. If you select encrypted password format, then the <machineKey> settings are used when encrypting and decrypting the data. If you want to store encrypted passwords, use the following configuration in the Web.config file. Notice that passwordFormat is set to "Encrypted".

http://msdn2.microsoft.com/en-us/library/ms998288.aspx#paght000007_membership

 thanks!

is it safe just put the key in the web.config? 

Hi

Here is an example on how to encrypt MachineKey in Web.config using aspnet_regiis.exe. You can grant access to a trust identity which could read RSA key container. This method can assure adequate safety. For more information ,please view this link

http://msdn2.microsoft.com/en-us/library/dtkwfdky(VS.80).aspx

However, I think a clear text Web.config can be used to easily config your website. but when encrypted, it's not so easy, depends on how you go.

I have an existing access database which I will be upsizing to a SQL Express database.  The problem with my old database is that i created a members table which stored all my members passwords using MD5.  Since I will be transfering all the data from the Access database into my SQL Express database, I will have 2 problems,  1) Authentication with MD5, and 2) Adding new users using MD5.

I am using the login control built in to VS.NET 2005, and have already built my pages, eg, adduser, forgotpassword, and login (using their respective controls) etc etc.

When I run the ASP.NET Configuration for my website, I've noticed that when I add users, their passwords are stored in the database using SHA1 (which I understand is the default).  I have read your guidlines above, but im unable to to make it store the users passwords using MD5.  Remember, I need to apply this to the built-in login control's "CreateUserWizard", and the method above seems to use a connection string as the example, which slightly throws me.

Can anyone help me here? It is not feasible to get all my users to re-register. :(

Thanks in advanced.

WizzKidd

wizzkidd07:

Remember, I need to apply this to the built-in login control's "CreateUserWizard", and the method above seems to use a connection string as the example, which slightly throws me.

Hi

That's a quite different question from this post. I think you can get  more information about what encrypt arithmetic is used in membership API with the source code.(There are three passwordFormat: Clear、Encrypted and Hashed)

http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi

Thanks for your reply.

I've been looking at the SQLMembershipProvider.cs source, and scanning my eyes over the funtions.  I am not an expert, but have a general understanding of how things work, and also, im pretty new to .net (as classic asp was my confident language previously).

I just decided to take a look at my old newuser.asp page and noticed that i used SHA256 in the past (not MD5 as previously thought).  I also looked into the access database, and it appears that all the passwords are hashed using this, and do not use a salt.  (however there are a small number of passwords that use a salt value because of the proceedure used when 'resetting your password' is invoked, but those passwords i'll takle later.)

So baring in mind that my passwords are all SHA256 hashed with a blank salt, im guessing that somehow i need to add a 'hashing to SHA256' function into the SQLMembershipProvider.cs code, and then call this function appropiatley from within the current functions such as CreateUser() and ChangePasswordQuestionAndAnswer() and GetPassword() and ChangePassword() and so on etc.

Now, what are my odd's and chances that someone has already done this or can give me a big helping hand please?

Thanks,

WizzKidd

wizzkidd07:

So baring in mind that my passwords are all SHA256 hashed with a blank salt, im guessing that somehow i need to add a 'hashing to SHA256' function into the SQLMembershipProvider.cs code, and then call this function appropiatley from within the current functions such as CreateUser() and ChangePasswordQuestionAndAnswer() and GetPassword() and ChangePassword() and so on etc.

Hi

Well, please create a custom membership Provider which inherits MembershipProvider abstract class. and override those method as you want.

Here is an example of creation of membership provider and you can check it,. hope it helps

http://channel9.msdn.com/ShowPost.aspx?PostID=180276

Hello,

 I checked out the Provider Toolkit samples, and the source implementation for DecryptPassword is not included, so I cannot determine how it works. Do you know how it works, or how I can get the source for DecryptPassword?

Thanks