Forms Authentication Credentials

You can allow the FormsAuthenticationModule to handle the authentication process from an application configuration file. Valid user/password pairs can be placed in the <credentials> section of a configuration file. You can compare the credentials collected from the user requesting logon privileges to the list of user/password pairs in the <credentials> section to determine if access should be granted. In the following example, users Kim and John can log on if they provide the correct password.

<credentials passwordFormat="SHA1" >
    <user name="Kim"
    <user name="John" 

Note that the credential pairs must be contained within a <credentials> section, the specified password hashing format is Secure Hash Algorithm-1 (SHA1), the user names are in clear text, and the passwords are hashed using the SHA1 algorithm.

The passwordFormat attribute is required; its potential values are listed in the following table.

Value Description
Clear Passwords are stored in clear text. The user password is compared directly to this value without further transformation.
MD5 Passwords are stored using a Message Digest 5 (MD5) hash digest. To validate credentials, the user password is hashed using the MD5 algorithm and compared for equality with this value. The clear-text password is never stored or compared when using this value. This algorithm produces better performance than SHA1.
SHA1 Passwords are stored using the SHA1 hash digest. To validate credentials, the user password is hashed using the SHA1 algorithm and compared for equality with the hashed value stored in the configuration file. The clear-text password is never stored. Use this algorithm for increased security.

The .NET Framework includes classes and methods that make it easy for you to create hashed values programmatically for persistent storage. One class that can be helpful for programming this task is the FormsAuthentication class. Its HashPasswordForStoringInConfigFile method can do the hashing. At a lower level, you can use the System.Security.Cryptography classes, as well.

Hashed passwords stored in a text file cannot be used to regenerate the original password, but they are potentially vulnerable to a dictionary attack. In this type of attack, the attacker, after gaining access to the password file, attempts to guess passwords by using software to iteratively hash all words in a large dictionary and compare the generated hashes to the stored hash. If you store hashed passwords by any storage mechanism, you should require your users to choose passwords that are not common words and that contain some numbers and nonalphanumeric characters to help prevent dictionary attacks.

See Also

ASP.NET Web Application Security | Forms Authentication Provider | FormsAuthenticationModule | System.Security.Cryptography