How do I use the built-in password encryption in the MembershipProvider?

Question

I am writing a custom MembershipProvider. Of course I want to encrypt the password the user creates. I presume that .NET has something that encrypts passwords. What is it and how do I use it? What size of string does that output? I have written membership providers before, but it has only been to verify the user is valid. This is the first time I need to add user registration and login.

I am sure I am not using the right search terms, but Google has not shown me anything of value for me.

Answer 1

First of all you shouldn't encrypt the passwords. You should hash them (There's an forever going debate about this).

For hashing passwords you could use HMACSHA1. For example when you create the user and before you store the password:

HMACSHA1 hash = new HMACSHA1();
hash.Key = youKey; // you could use machine key
encodedPassword =  Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));

and then store that value in the database. You can then compare the entered password by hashing it and comparing the hashed values.

Of course you need to specify that the password is hashed in the config file:

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
  <providers>
    <remove name="AspNetSqlProvider" />
    <add name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      passwordFormat="Hashed"
      applicationName="/" />
  </providers>
</membership>

Check out my blog post on this. It has an example there using hashed and encrypted passwords.