ASP.NET 2.0′s new membership provider allows for three different ways to protect user’s passwords via the passwordFormat attribute:
- Clear: passwords are stored in clear text. Fine for non-sensitive applications.
- Encrypted: passwords are encrypted. Note that you will have to put a hard-coded decryption key in the <machineKey> tag in your web.config or machine.config. Otherwise you’ll get a “You must specify a non-autogenerated machine key to store passwords in the encrypted format” error when trying to create users. To create a machineKey tag with a set of random tags, you can use my machineKey generator (source code included).
- Hashed: passwords are not stored in the database at all, only an SHA-1 hash. This means passwords can not be retrieved at all — if a user forgets their password, they’ll have to request a new, randomly-generated one.
Below is an example of a <membership> tag using the Encrypted password format.
<membership defaultProvider=“MySqlMembershipProvider” >
<providers>
<add name=“MySqlMembershipProvider”
connectionStringName=“MyLocalSQLServer”
applicationName=“MyAppName”
requiresUniqueEmail=“false” enablePasswordRetrieval=“true”
enablePasswordReset=“true” requiresQuestionAndAnswer=“false”
passwordFormat=“Encrypted”
minRequiredPasswordLength=“4″
minRequiredNonalphanumericCharacters=“0″
type=“System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</membership>