FormsAuthentication.HashPasswordForStoringInConfigFile Method

Produces a hash password suitable for storing in a configuration file based on the specified password and hash algorithm.

Namespace: System.Web.Security
Assembly: System.Web (in system.web.dll)

public static string HashPasswordForStoringInConfigFile (
	string password,
	string passwordFormat
public static String HashPasswordForStoringInConfigFile (
	String password, 
	String passwordFormat
public static function HashPasswordForStoringInConfigFile (
	password : String, 
	passwordFormat : String
) : String
Not applicable.



The password to hash.


The hash algorithm to use. passwordFormat is a String that represents one of the FormsAuthPasswordFormat enumeration values.

Return Value

The hashed password.

Exception typeCondition


password is a null reference (Nothing in Visual Basic)


passwordFormat is a null reference (Nothing in Visual Basic).


passwordFormat is not a valid FormsAuthPasswordFormat value.

The HashPasswordForStoringInConfigFile method creates a hashed password value that can be used when storing forms-authentication credentials in the configuration file for an application.

Authentication credentials stored in the configuration file for an application are used by the Authenticate method to verify passwords for users of an application. Alternatively, you can use ASP.NET membership to store user credentials. For more information, see Managing Users By Using Membership.

The following code example takes a user name, password, and hash type and displays the credentials section of the configuration that includes the user definition and hashed password.

Security noteSecurity Note:

This example contains a text box that accepts user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview (Visual Studio).

<%@ Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<html xmlns="" >
    <title>ASP.NET Example</title>
<script runat="server">
         void Cancel_Click(object sender, EventArgs e)
            userName.Text = "";
            password.Text = "";
            repeatPassword.Text = "";
            result.Text = "";
         void HashPassword_Click(object sender, EventArgs e)
            if (Page.IsValid)
               string hashMethod = "";

               if (md5.Checked)
                  hashMethod = "MD5";
                  hashMethod = "SHA1";
               string hashedPassword =
                  FormsAuthentication.HashPasswordForStoringInConfigFile(password.Text, hashMethod);
               result.Text = "&lt;credentials passwordFormat=\"" + hashMethod +"\"&gt;<br />" +
                  "  &lt;user name=\"" + Server.HtmlEncode(userName.Text) + "\" password=\"" +
                  hashedPassword + "\" /&gt;<br />" + "&lt;/credentials&gt;";
               result.Text = "There was an error on the page.";

      <form id="form1" runat="server">
         <p>This form displays the results of the FormsAuthentication.HashPasswordForStoringInConfigFile
         method.<br />The user name and hashed password can be stored in a &lt;credentials&gt; node
         in the Web.config file.</p>
         <table cellpadding="2">
                  <td>New User Name:</td>
                  <td><asp:TextBox id="userName" runat="server" /></td>
                  <td><asp:RequiredFieldValidator id="userNameRequiredValidator" 
                        runat="server" ErrorMessage="User name required" 
                        ControlToValidate="userName" /></td>
                  <td>Password: </td>
                  <td><asp:TextBox id="password" runat="server" TextMode="Password" /></td>
                  <td><asp:RequiredFieldValidator id="passwordRequiredValidator" 
                        runat="server" ErrorMessage="Password required" 
                        ControlToValidate="password" /></td>
                  <td>Repeat Password: </td>
                  <td><asp:TextBox id="repeatPassword" runat="server" TextMode="Password" /></td>
                  <td><asp:RequiredFieldValidator id="repeatPasswordRequiredValidator" 
                        runat="server" ErrorMessage="Password confirmation required" 
                        ControlToValidate="repeatPassword" />
                      <asp:CompareValidator id="passwordCompareValidator" runat="server" 
                        ErrorMessage="Password does not match" 
                        ControlToCompare="password" /></td>
                  <td>Hash function:</td>
                  <td align="center">
                     <asp:RadioButton id="sha1" runat="server" GroupName="HashType" 
                                      Text="SHA1" />
                     <asp:RadioButton id="md5" runat="server" GroupName="HashType" 
                                      Text="MD5" />
                  <td align="center" colspan="2">
                    <asp:Button id="hashPassword" onclick="HashPassword_Click" 
                                runat="server" Text="Hash Password" />&nbsp;&nbsp; 
                    <asp:Button id="cancel" onclick="Cancel_Click" runat="server" 
                                Text="Cancel" CausesValidation="false" />

         <pre><asp:Label id="result" runat="server"></asp:Label></pre>

Windows 98, Windows Server 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0, 1.1, 1.0

Community Additions