开发者

SHA1 Password returns as cleartext after DB query

I have a SHA1 password and PasswordSalt in my aspnet_Membership table. but, when I run a query from the server (a Sql Query), the reader reveals that the pass has returned as its cleartext equivalent.

I am wondering if my web.config configuration is causing this?

<membership defaultProvider="CustomMembershipProvider" 
                userIsOnlineTimeWindow="20"
                hashAlgorithmType="SHA1">
      <p开发者_JAVA技巧roviders>
        <clear/>
        <add  name="CustomMembershipProvider"
              type="Custom.Utility.CustomMembershipProvider"
              connectionStringName="MembershipDB"
              enablePasswordRetrieval="false"
              enablePasswordReset="true"
              requiresUniqueEmail="false"
              requiresQuestionAndAnswer="false"
              passwordStrengthRegularExpression=""
              minRequiredPasswordLength="1"
              minRequiredNonalphanumericCharacters="0"
              passwordFormat="Hashed"

thanks in advance...


You've used the right settings for the membership provider (specifically passwordFormat="hashed"), but you also have this line:

type="Custom.Utility.CustomMembershipProvider"

Setting passwordFormat="hashed" only tells whichever membership provider you're using that you want passwords to be hashed. If you use a custom membership provider, that provider has to be coded to honour the passwordFormat setting.

I'm 99% sure that the reason your passwords are being stored in clear text is because that's what the CustomMembershipProvider is programmed to do.


OK, I figured this one out. The answer is "yes, there is a mechanism in web.config for decrypting my SHA1 pwd automatically. Note:

decryption="Auto"

<machineKey validationKey="MY Validateion Key"
            decryptionKey="My Decryption Key"
            validation="SHA1" decryption="Auto" />
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜