ASP.Net Membership saves changed password as plain text even with Hashed passwordFormat set

Question

I\'m using the ASP.Net SqlMembershipProvider to manage my users. Here is my config:

Answer 1

Russ's solution probably works, but there's a simpler way if all your existing users have either clear or encrypted passwords. Set up 2 sql membership providers in your web.config, one using clear (or encryped) passwords and another using hashed. Then execute this code somewhere within your web application:

void ConvertPasswordsToHashed()
{
    var clearProvider = Membership.Providers["SqlProvider"];
    var hashedProvider = Membership.Providers["SqlProvider_Hashed"];
    int dontCare;
    if (clearProvider == null || hashedProvider == null) return;
    var passwords = clearProvider.GetAllUsers(0, int.MaxValue, out dontCare)
        .Cast().ToDictionary(u => u.UserName, u => u.GetPassword());

    using (var conn = new SqlConnection(ConfigurationManager.ConnectionStrings[0].ConnectionString))
    {
        conn.Open();
        using (var cmd = new SqlCommand("UPDATE [aspnet_Membership] SET [PasswordFormat]=1", conn))
            cmd.ExecuteNonQuery();
    }

    foreach (var entry in passwords)
    {
        var resetPassword = hashedProvider.ResetPassword(entry.Key, null);
        hashedProvider.ChangePassword(entry.Key, resetPassword, entry.Value);
    }
}