I'm creating a custom "add user" page in ASP.Net web forms and have hit a problem. I can insert all the data into the membership table but the passwords are stored in plain text and the password salt has been hardcoded.
How do i go about hashing the passwords so that users can log in (as the membership framework checks for a password hash and not a clear text password). Also, is the salt completely random or is it linked to the password hash somehow?
Any help would be greatly appreciated,
Marc
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
See the line where passwordFormat="Hashed" is mentioned. You need to work out this setting to have the password hashed. PasswordFormat has three values. You chose which one you want and configure your application accordingly.
来源:https://stackoverflow.com/questions/5328642/asp-net-password-hashing-and-password-salt