Does asp.net membership really provide a secure and robust solution for login, authentication, authorization of web applications?

Question 1

If I am writing internal applications with a modest number of users then I usually rely on asp.net memberhsip. Its familiar, I know how to get it up and running quickly. Other developers also know it reasonably well so it doesn't need explaining. Its also usually desirable for the organisation to be in control of user accounts.

On the other hand, if you were creating a public site and needed to authenticate users before making contributions (eg. stack overflow), you might want to think about implementing OpenId so users don't have to create a new account with your domain. They could use Google/Facebook/Twitter instead. There are libraries to get you started.

Question 2

The default hash algorithm changed in .NET 4.0 to SHA256. So you are pretty safe if you are using .NET 4.0.

You could also specify the hash algorithm in your web.config:

<system.web>
    <machineKey validation="SHA256" />
    <membership defaultProvider="myMembership" hashAlgorithmType="SHA256">
    ...
</system.web>

Actually that's was a breaking change in .NET 4.0. So if you had an existing application in .NET 3.5 and upgraded to .NET 4.0 passwords that were hashed with SHA1 might no longer be used in .NET 4.0 unless you change the algorithm type back to SHA1.

Question 3

Not really. ASP.NET membership provider is a design failure.

It forces you to use predefined domain model entities instead of using your own.
Not interchangeable with ease (Use different providers per company or different forms of authentication)
The predefined MembershipProvider abstraction is a failed class design.(out param ? - yes, please test it)

Go implement your own provider. For passwords choose your hash algorithm (sha1, sha512...).

After finishing the implementation use FormsAuthentication class to integrate it with your provider.