{"id":9595,"date":"2017-03-31T11:58:23","date_gmt":"2017-03-31T18:58:23","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/webdev\/?p=9595"},"modified":"2017-03-31T11:58:23","modified_gmt":"2017-03-31T18:58:23","slug":"hash-passwords-with-asp-net-membership-providers","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/hash-passwords-with-asp-net-membership-providers\/","title":{"rendered":"Hash Passwords with ASP.NET Membership Providers"},"content":{"rendered":"<p>Are you using the legacy ASP.NET membership providers with your application?\u00a0 When you look in web.config, is there a membership configuration within the system.web element?\u00a0 The membership provider has been available since ASP.NET 2, and has been superseded by the Identity provider for a more secure authentication and authorization facility in your application. Best practices in security today dictate that you should not be storing passwords in cleartext or in an encrypted format.\u00a0 These values can be read or decrypted, and you will feel shame if your password list is published somewhere by a nefarious party. Starting with ASP.NET 4.6.2, we have updated the MembershipProvider base when reading the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/system.web.security.membershipprovider.passwordformat(v=vs.110).aspx\">PasswordFormat property<\/a>.\u00a0 If your application is configured with a setting that is not Hashed, we are now throwing a warning entry into the Windows Event Log that will encourage you to choose the more secure Hashed setting for your Membership configuration. <figure id=\"attachment_9605\" aria-labelledby=\"figcaption_attachment_9605\" class=\"wp-caption aligncenter\" ><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/aspnet\/wp-content\/uploads\/sites\/16\/2017\/03\/1-EventLog-1024x124-1.png\" alt=\"Event Log entry recommending hashing passwords\" class=\"size-large wp-image-9605\" height=\"106\" width=\"879\" \/><figcaption id=\"figcaption_attachment_9605\" class=\"wp-caption-text\">Event Log entry recommending hashing passwords<\/figcaption><\/figure> A hashed configuration will use the hash algorithm defined in the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/w8h3skw9(v=vs.100).aspx\">machineKey validation attribute<\/a>.\u00a0 By default, this value is set to \u201cHMACSHA256\u201d. \u00a0This attribute can be configured to hash with a number of different algorithms, and we no longer recommend using MD5 or SHA1 hashing.<\/p>\n<h2>Recommended Solutions If you want to update an existing application to use Hashed passwords with Membership, we recommend that you force every user to reset their password at the same time you change the passwordFormat setting in web.config\u00a0 To force this reset, the consult the following steps:<\/h2>\n<ol>\n<li>Ensure that all users have an email address configured in your membership repository.<\/li>\n<li><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/879kf95c.aspx#Anchor_8\">Create a password-change page<\/a> if you don\u2019t have one already and link it to your user login page<\/li>\n<li>Notify all the application\u2019s users that they will be forced to reset their password on a scheduled date<\/li>\n<li>On the scheduled date of your password reset, change the passwordFormat setting in web.config and update your membership repository to clear out all passwords stored. In a default SQL membership repository, you could execute the following statement to clear all passwords: <\/li>\n<\/ol>\n<pre>UPDATE AspNetUsers SET PasswordHash=\u2019\u2019;<\/pre>\n<p>Ideally, we recommend that you update your application to use the improved<\/p>\n<p><a href=\"https:\/\/www.asp.net\/identity\">ASP.NET Identity provider<\/a>.\u00a0 The newer provider enables several scenarios for integration with third-party authentication providers, two-factor authentication, and external notification systems like text messaging and email.\u00a0 You can learn more about the <a href=\"https:\/\/blogs.msdn.microsoft.com\/webdev\/2013\/06\/27\/introducing-asp-net-identity-a-membership-system-for-asp-net-applications\/\">Identity provider on our Identity announcement blog post<\/a>.<\/p>\n<h2>Summary We continue to support the membership providers for ASP.NET that were introduced in ASP.NET 2.0.\u00a0 It is in your best interest to ensure that you are using them in the most secure configuration available.\u00a0 Please take a few minutes and review your ASP.NET application\u2019s configuration and determine if you should apply any updates.<\/h2>\n","protected":false},"excerpt":{"rendered":"<p>Are you using the legacy ASP.NET membership providers with your application?\u00a0 When you look in web.config, is there a membership configuration within the system.web element?\u00a0 The membership provider has been available since ASP.NET 2, and has been superseded by the Identity provider for a more secure authentication and authorization facility in your application. Best practices [&hellip;]<\/p>\n","protected":false},"author":405,"featured_media":58792,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[],"class_list":["post-9595","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aspnet"],"acf":[],"blog_post_summary":"<p>Are you using the legacy ASP.NET membership providers with your application?\u00a0 When you look in web.config, is there a membership configuration within the system.web element?\u00a0 The membership provider has been available since ASP.NET 2, and has been superseded by the Identity provider for a more secure authentication and authorization facility in your application. Best practices [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/9595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/405"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=9595"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/9595\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/58792"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=9595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=9595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=9595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}