QUALITY DATA

Web Site Management Tools

1-888-632-7449

Client Area

Articles

Understanding membership provider password formats

The Asp.Net Membership Provider defines a passwordFormat property that lets you choose how you wish to store passwords and the answers to password questions.

You've probably seen the "passwordFormat" attribute when configuring your membership provider.

Password Format

In fact, the Membership Provider supports three passwordFormats (Clear, Hashed, Encrypted) which are defined in the MembershipPasswordFormat enumeration in the System.Web.Security namespace as shown below.

PasswordFormats enumeration

Three password formats to choose from

Clear

This is the most performant but least secure way to store passwords. If you store a password in clear text, you can literally read it in the aspnet_membership table when using the SqlMembershipProvider.

You might use a clear passwordFormat on web sites or applications that require almost no security. Personally, I feel uncomfortable when I see someone's password, so I don't use the Clear passwordFormat except possibly during development.

The enumeration for "clear passwordFormat" corresponds to a value of Zero (0), which is what you will see in the AspNet_Membership table for each user with a clear password format as shown below.

Clear passwordFormat

Hashed

The default Membership Provider passwordFormat is Hashed and is also the most secure. Hashed paswords are converted using a one-way hashing algorithm and a randomly generated "salt" value. There is no way to retrieve a hashed password, so password verification is performed by hashing then comparing the newly entered password to the one stored in the database.

The enumeration for "Hashed passwordFormat" corresponds to a value of One (1), which is what you will see in the AspNet_Membership table for each user with a hashed password format as shown below. Also notice that each user has a unique PasswordSalt which is used in the hashing algorithm to destroy any type of patterns that could be used in decyphering techniques.

Hashed passwordFormat

Since Hashed passwords cannot be retrieved, the Asp.Net Membership Provider will throw an exception if it is configured to use Hashed Passwords and also configured with EnablePasswordRetrieval = "true". You can, however, set EnablePasswordReset = "true" when using the hashed passwordFormat as the "reset password" operation causes a new random password to be set without requiring the old one to be retrieved.

Encrypted

The Encrypted passwordFormat provides a balance of security and flexibility since encrypted passwords are not readily visible but can be decrypted with the proper keys. As discussed in the article titled <%=Html.ActionLink("you must specify a non autogenerated machinekey","you-must-specify-a-non-autogenerated-machine-key") %>, it is necessary to add a machineKey section to your web configuration file if you plan on using the Encrypted passwordFormat.

If someone gets a copy of your database, they would not be able to unscramble your user passwords unless they also had a copy of your web.config file that specifies the decryption key.

The enumeration for "encrypted passwordFormat" corresponds to a value of Two (2), which is what you will see in the AspNet_Membership table for each user with an encrypted password.

Can I change the passwordFormat used in my web application?

Yes. If you originally set up your web site without changing any of the default provider settings, you will find that all your membership user passwords are stored in a hashed format, since that is the default. If you decide that you would prefer to use the Encrypted passwordFormat in order to allow users to retrieve their passwords, then you can simply change the passwordFormat property on your Membership Provider from "Hashed" to "Encrypted" (don't forget to provide the machineKey section.)

As you might expect, the passwords for new users will be stored in an encrypted format but those for existing users will remain Hashed. The above screenshot illustrates the co-existence of multiple passwordFormats within a single application which is generally well-handled by the Asp.Net Membership Provider.

Obviously, it is better to stick with a uniform passwordFormat so you don't have to individually decide whether a user password can be retrieved. The Membership Manager API includes methods that you can use to change a user's passwordFormat while at the same time assign a new password and password answer (sorry, no way to retrieve these if they are hashed.)