Gets a value indicating the format for storing passwords in the SQL Server membership database.
Assembly: System.Web (in System.Web.dll)
Public Overrides ReadOnly Property PasswordFormat As MembershipPasswordFormat Get
public override MembershipPasswordFormat PasswordFormat { get; }
public: virtual property MembershipPasswordFormat PasswordFormat { MembershipPasswordFormat get () override; }
abstract PasswordFormat : MembershipPasswordFormat override PasswordFormat : MembershipPasswordFormat
Property Value
Type: System.Web.Security.MembershipPasswordFormatOne of the MembershipPasswordFormat values, indicating the format for storing passwords in the SQL Server database.
The SQL Server membership provider supports Clear, Encrypted, and Hashed password formats. Clear passwords are stored in plain text, which improves the performance of password storage and retrieval but is less secure, as passwords are easily read if your SQL Server database is compromised. Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. This requires additional processing for password storage and retrieval, but is more secure, as passwords cannot easily be determined if the SQL Server database is compromised. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved.
The PasswordFormat value is specified in the providers section of the Web.config file for the ASP.NET application.
Encrypted and Hashed passwords are encrypted or hashed by default based on information supplied in the machineKey element in your configuration. Note that if you specify a value of 3DES for the validation attribute, or if no value is specified, hashed passwords will be hashed using the SHA1 algorithm.
A custom hash algorithm can be defined using the hashAlgorithmType attribute of the membership Element (ASP.NET Settings Schema) configuration element. If you choose encryption, default password encryption uses AES. You can change the encryption algorithm by setting the decryption attribute of the machineKey configuration element. If you are encrypting passwords, you must provide an explicit value for the decryptionKey attribute in the machineKey element. The default value of AutoGenerate for the decryptionKey attribute is not supported when using encrypted passwords with ASP.NET Membership.
The following code example shows the membership element in the system.web section of the Web.config file for an ASP.NET application. It specifies the application's SqlMembershipProvider instance and sets its password format to Hashed.
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
<providers>
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
applicationName="MyApplication" />
</providers>
</membership>
.NET Framework
Supported in: 4, 3.5, 3.0, 2.0Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2
The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.