Last post May 14, 2009 02:46 PM by kjmcad
May 11, 2009 09:47 AM|kjmcad|LINK
May 13, 2009 04:18 AM|Wencui Qian - MSFT|LINK
To know how membership encrypts the password in Hashed format, you could use Reflector to check the EncodePassword method of SqlMembershipProvider. Here's the method source code:
internal string EncodePassword(string pass, int passwordFormat, string salt)
if (passwordFormat == 0)
byte bytes = Encoding.Unicode.GetBytes(pass);
byte src = Convert.FromBase64String(salt);
byte dst = new byte[src.Length + bytes.Length];
byte inArray = null;
Buffer.BlockCopy(src, 0, dst, 0, src.Length);
Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
if (passwordFormat == 1)
HashAlgorithm algorithm = HashAlgorithm.Create(Membership.HashAlgorithmType);
if ((algorithm == null) && Membership.IsHashAlgorithmFromMembershipConfig)
inArray = algorithm.ComputeHash(dst);
inArray = this.EncryptPassword(dst);
May 14, 2009 02:21 PM|tevya|LINK
I am encountering a similar situation but not using the Membership API (unfortunately). We are writing a web interface to a legacy system in which some of the accounts are shared with the legacy system. The new code (developed by a vendor who is no
longer in the picture) uses the COM .NET 2.0 file Interop.Encryption.DLL
We would like the new code to stop using this DLL because of installation headaches it causes. I have been unable to determine the algorithm used by the EncryptPassword() method of this DLL. I suspect it is the same method used in the code in your posting
but I cannot be sure.
So, what hashing algorithm is it using? MD5? SHA-1? Something else?
Thanks for the help!
== Tevya ==
password encrypt decrypt
May 14, 2009 02:46 PM|kjmcad|LINK
I figured this out but got to update the forum. The hashed algorithm used by the membership API is SHA1. I actually recreated the code to recreate the hashed password. I had to recreate the code so our Java guys could recreate it in Java so the password
authenciation could be done using Java by recreating the hashed password in Java and matching it to what was in the database for authentication.