SHA1 Password returns as cleartext after DB query
I have a SHA1 password and PasswordSalt in my aspnet_Membership table. but, when I run a query from the server (a Sql Query), the reader reveals that the pass has returned as its cleartext equivalent.
I am wondering if my web.config configuration is causing this?
<membership defaultProvider="CustomMembershipProvider"
userIsOnlineTimeWindow="20"
hashAlgorithmType="SHA1">
<p开发者_JAVA技巧roviders>
<clear/>
<add name="CustomMembershipProvider"
type="Custom.Utility.CustomMembershipProvider"
connectionStringName="MembershipDB"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresUniqueEmail="false"
requiresQuestionAndAnswer="false"
passwordStrengthRegularExpression=""
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
thanks in advance...
You've used the right settings for the membership provider (specifically passwordFormat="hashed"
), but you also have this line:
type="Custom.Utility.CustomMembershipProvider"
Setting passwordFormat="hashed"
only tells whichever membership provider you're using that you want passwords to be hashed. If you use a custom membership provider, that provider has to be coded to honour the passwordFormat
setting.
I'm 99% sure that the reason your passwords are being stored in clear text is because that's what the CustomMembershipProvider
is programmed to do.
OK, I figured this one out. The answer is "yes, there is a mechanism in web.config for decrypting my SHA1 pwd automatically. Note:
decryption="Auto"
<machineKey validationKey="MY Validateion Key"
decryptionKey="My Decryption Key"
validation="SHA1" decryption="Auto" />
精彩评论