ASP.NET MembershipProvider encryption/decryption

I have some questions on the MembershipProvider in .Net that I have been unable to find clear answers to.

• What type of encryption is used, AES?
• The method EncryptPassword, can it handle any salt, or do I simply add that before passing it?
• The meth开发者_开发百科od DecryptPassword - can you really decrypt the password? Isn't that a poor practice to be able to do?

Thank you for the input!

add Element for providers for membership (ASP.NET Settings Schema)

• enablePasswordRetrieval attribute: "Specifies whether the membership provider instance supports password retrieval. If true, the membership provider instance supports password retrieval The default is false for both the SQL and Active Directory providers."
• passwordFormat attribute: "One of the MembershipPasswordFormat values that indicates the format for storing passwords in the membership data store. The default is Hashed."
  • Hashed: "Passwords are encrypted one-way using the SHA1 hashing algorithm. You can specify a hashing algorithm different than the SHA1 algorithm using the hashAlgorithmType attribute."
  • Encrypted: "Encrypted Passwords are encrypted using the encryption settings determined by the machineKey Element (ASP.NET Settings Schema) element configuration."

So, by default the SqlMembershipProvider uses a hashed (one-way) password that is hashed with SHA1. Hashing the passwords doesn't use the EncryptPassword/DecryptPasswords methods, but no, you cannot manually pass salts to Encryption/Encoding of passwords (it salts them for you).