So I just wrapped up my whilrwind tour through Europe (I’m in Sweden, heading back home to the states tomorrow AM) and wanted to address a question that came up a few places with regards to our security system.
In Beta 1 we encrypted and hashed the passwords in the membership database by default, but not the secret answer to the secret question… my advice was if you want this, you can just customize the provider — while this is true, that default behavior is not as secure as it needs to be.
In Beta 2 the secret answer will follow the settings for the password itself — so if you have it set to use hashing and encryption the same will be used for the secret answer. Definitely better.
Hopefully that clears up any confusion 🙂