Describes the encryption format for storing passwords for membership users.
Assembly: System.Web.ApplicationServices (in System.Web.ApplicationServices.dll)
Not secure, do not use. Passwords are not encrypted.
Not secure, do not use. Passwords are encrypted using the encryption settings determined by the machineKey Element (ASP.NET Settings Schema) element configuration.
Passwords are encrypted one-way using the SHA1 hashing algorithm.
The SqlMembershipProvider class supports different password storage formats but you should only use Hashed; Clear and Encrypted are not secure. passwords are not secure and shouldn't be used. They are stored in plain text. passwords are not considered safe, as a breach that reveals your database contents can also expose the encryption key. This means your encrypted passwords could be decrypted and exposed. Passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. passwords are encrypted using a one-way salted hash when stored in the database. When a password is validated, it is combined with a salt value and then hashed. The result is compared with the value in the database for verification. Hashed passwords cannot be retrieved.
The following example shows the element in the system.web section of the Web.config file for an ASP.NET application. It specifies the application's SqlMembershipProvider instance and sets its password format to Hashed.
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20" hashAlgorithmType="SHA1"> <providers> <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SqlServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordFormat="Hashed" applicationName="MyApplication" /> </providers> </membership>
Available since 2.0