Forms Authentication Credentials
Forms authentication credentials that are used to validate users at logon can be stored in an external data source or in the application configuration file.
ASP.NET membership is the preferred method for storing and managing user credentials in forms-authenticated applications. For more information, see Managing Users by Using Membership.
When using forms authentication, you can validate users from user/password pairs in the credentials section of the Web site's configuration file. You can use the Authenticate method to compare the credentials collected from the user to the list of user/password pairs in the credentials section to determine whether access should be granted. In the following example, users Kim and John can log on if they provide the correct password.
<credentials passwordFormat="SHA1" > <user name="Kim" password="07B7F3EE06F278DB966BE960E7CBBD103DF30CA6"/> <user name="John" password="BA56E5E0366D003E98EA1C7F04ABF8FCB3753889"/> </credentials>
The credential pairs in the example are encrypted using the Secure Hash Algorithm-1 (SHA1) password-hashing format. The PasswordFormat attribute is required. Values for this property are listed in the following table.
Passwords are stored in clear text. The user password is compared directly to this value without further transformation.
Passwords are stored using a Message Digest 5 (MD5) hash digest. To validate credentials, the user password is hashed using the MD5 algorithm and compared to the stored value. The clear-text password is never stored or compared when using this value. This algorithm produces better performance than SHA1.
Passwords are stored using the SHA1 hash digest. To validate credentials, the user password is hashed using the SHA1 algorithm and compared to the stored value. The clear-text password is never stored. Use this algorithm for improved security over the MD5 algorithm.
The .NET Framework includes classes and methods that make it easy for you to create hashed values programmatically for persistent storage. One class that can be helpful for programming this task is the FormsAuthentication class. Its HashPasswordForStoringInConfigFile method can do the hashing. For more precise control, you can use the System.Security.Cryptography classes as well.
Hashed passwords stored in a text file cannot be used to regenerate the original password, but they are potentially vulnerable to a dictionary attack. In this type of attack, the attacker, after gaining access to the password file, attempts to guess passwords by using software to iteratively hash all words in a large dictionary and compare the generated hashes to the stored hash. If you store hashed passwords in any way, you should require your users to choose passwords that are not common words and that contain some numbers and non-alphanumeric characters to help prevent dictionary attacks. Additionally, you can make credentials management easier by storing them using ASP.NET membership. For more information, see Managing Users by Using Membership.