MembershipPasswordFormat Enum

Reference

Definition

Namespace:: System.Web.Security

Assembly:: System.Web.dll

Assembly:: System.Web.ApplicationServices.dll

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Describes the encryption format for storing passwords for membership users.

public enum class MembershipPasswordFormat

public enum MembershipPasswordFormat

type MembershipPasswordFormat =

Public Enum MembershipPasswordFormat

Inheritance: Object

ValueType

Enum
MembershipPasswordFormat

Fields

Name Value Description

Clear

Name	Value	Description
Clear	0	Not secure, do not use. Passwords are not encrypted.
Hashed	1	Passwords are encrypted one-way using the SHA1 hashing algorithm. You can specify a hashing algorithm different than the SHA1 algorithm by using the `hashAlgorithmType` attribute. Due to collision problems with SHA1, Microsoft recommends SHA256.
Encrypted	2	Not secure, do not use. Passwords are encrypted using the encryption settings determined by the machineKey element configuration.

Not secure, do not use. Passwords are not encrypted.

Hashed

Passwords are encrypted one-way using the SHA1 hashing algorithm. You can specify a hashing algorithm different than the SHA1 algorithm by using the hashAlgorithmType attribute.

Due to collision problems with SHA1, Microsoft recommends SHA256.

Encrypted

Not secure, do not use. Passwords are encrypted using the encryption settings determined by the machineKey element configuration.

Examples

The following example shows the machineKey Element (ASP.NET Settings Schema) element in the system.web section of the Web.config file for an ASP.NET application. It specifies the application's SqlMembershipProvider instance and sets its password format to Hashed.

This example uses SHA1. Due to collision problems with SHA1, Microsoft recommends SHA256.

<membership defaultProvider="SqlProvider"   
  userIsOnlineTimeWindow="20" hashAlgorithmType="SHA1">  
  <providers>  
    <add name="SqlProvider"  
      type="System.Web.Security.SqlMembershipProvider"  
      connectionStringName="SqlServices"  
      enablePasswordRetrieval="false"  
      enablePasswordReset="true"  
      requiresQuestionAndAnswer="true"  
      passwordFormat="Hashed"  
      applicationName="MyApplication" />  
  </providers>  
</membership>

Remarks

The SqlMembershipProvider class supports different password storage formats, but you should only use Hashed; Clear and Encrypted are not secure. Clear passwords are not secure and shouldn't be used. They are stored in plain text. Encrypted passwords are not considered safe, as a breach that reveals your database contents can also expose the encryption key. This means your encrypted passwords could be decrypted and exposed. Passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. Hashed passwords are encrypted using a one-way salted hash when stored in the database. When a password is validated, it is combined with a salt value and then hashed. The result is compared with the value in the database for verification. Hashed passwords cannot be retrieved.

Note

If you are not familiar with the membership features of ASP.NET, see Introduction to Membership before continuing. For a list of other topics related to membership, see Managing Users by Using Membership.

Applies to

Share via