SqlMembershipProvider.PasswordFormat Property

 

Gets a value indicating the format for storing passwords in the SQL Server membership database.

Namespace:   System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public override MembershipPasswordFormat PasswordFormat { get; }

Property Value

Type: System.Web.Security.MembershipPasswordFormat

One of the MembershipPasswordFormat values, indicating the format for storing passwords in the SQL Server database.

Use Hashed only, Clear and Encrypted are not secure. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved. Encrypted passwords are not considered safe, as a breach that reveals your database contents can also expose the encryption key. This means your encrypted passwords could be decrypted and exposed.

The PasswordFormat value is specified in the section of the Web.config file for the ASP.NET application.

Encrypted and Hashed passwords are encrypted or hashed by default based on information supplied in the element in your configuration. Note that if you specify a value of 3DES for the validation attribute, or if no value is specified, hashed passwords will be hashed using the SHA1 algorithm.

A custom hash algorithm can be defined using the hashAlgorithmType attribute of the membership Element (ASP.NET Settings Schema) configuration element. If you choose encryption, default password encryption uses AES. You can change the encryption algorithm by setting the decryption attribute of the configuration element. If you are encrypting passwords, you must provide an explicit value for the decryptionKey attribute in the element. The default value of AutoGenerate for the decryptionKey attribute is not supported when using encrypted passwords with ASP.NET Membership.

The following code example shows the element in the system.web section of the Web.config file for an ASP.NET application. It specifies the application's SqlMembershipProvider instance and sets its password format to Hashed.

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
  <providers>
    <add name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="SqlServices"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="true"
      passwordFormat="Hashed"
      applicationName="MyApplication" />
  </providers>
</membership>

.NET Framework
Available since 2.0
Return to top
Show: