Hash Passwords with ASP.NET Membership Providers

Are you using the legacy ASP.NET membership providers with your application?  When you look in web.config, is there a membership configuration within the system.web element?  The membership provider has been available since ASP.NET 2, and has been superseded by the Identity provider for a more secure authentication and authorization facility in your application.

Best practices in security today dictate that you should not be storing passwords in cleartext or in an encrypted format.  These values can be read or decrypted, and you will feel shame if your password list is published somewhere by a nefarious party.

Starting with ASP.NET 4.6.2, we have updated the MembershipProvider base when reading the PasswordFormat property.  If your application is configured with a setting that is not Hashed, we are now throwing a warning entry into the Windows Event Log that will encourage you to choose the more secure Hashed setting for your Membership configuration.

Event Log entry recommending hashing passwords

Event Log entry recommending hashing passwords

A hashed configuration will use the hash algorithm defined in the machineKey validation attribute.  By default, this value is set to “HMACSHA256”.  This attribute can be configured to hash with a number of different algorithms, and we no longer recommend using MD5 or SHA1 hashing.

Recommended Solutions

If you want to update an existing application to use Hashed passwords with Membership, we recommend that you force every user to reset their password at the same time you change the passwordFormat setting in web.config  To force this reset, the consult the following steps:

  1. Ensure that all users have an email address configured in your membership repository.
  2. Create a password-change page if you don’t have one already and link it to your user login page
  3. Notify all the application’s users that they will be forced to reset their password on a scheduled date
  4. On the scheduled date of your password reset, change the passwordFormat setting in web.config and update your membership repository to clear out all passwords stored.

In a default SQL membership repository, you could execute the following statement to clear all passwords:

UPDATE AspNetUsers SET PasswordHash=’’;

Ideally, we recommend that you update your application to use the improved ASP.NET Identity provider.  The newer provider enables several scenarios for integration with third-party authentication providers, two-factor authentication, and external notification systems like text messaging and email.  You can learn more about the Identity provider on our Identity announcement blog post.

Summary

We continue to support the membership providers for ASP.NET that were introduced in ASP.NET 2.0.  It is in your best interest to ensure that you are using them in the most secure configuration available.  Please take a few minutes and review your ASP.NET application’s configuration and determine if you should apply any updates.