Home/ Questions/Q 8562445
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T16:43:54+00:00

Possible Duplicate: WebMatrix WebSecurity PasswordSalt is there a way to have simpleMembershipProvider use the

  • 0

Possible Duplicate:
WebMatrix WebSecurity PasswordSalt

is there a way to have simpleMembershipProvider use the salt?

when I create my mvc4 web project and set the default connection to sqlexpress, then register, my users do not have a password salt

enter image description here

I would like for it to be as secure as it can without too much trouble.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The PasswordSalt column is unused, but salting is used when creating the hashed password that is stored in the Password field. You can see this if you look at the source code for the SimpleMembershipProvider: http://aspnetwebstack.codeplex.com/SourceControl/changeset/view/3a669e7112e7#src%2fWebMatrix.WebData%2fSimpleMembershipProvider.cs

    Check the CreateUserAndAccount method. It uses the Crypto.HashPassword method:

        /* =======================
     * HASHED PASSWORD FORMATS
     * =======================
     * 
     * Version 0:
     * PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
     * (See also: SDL crypto guidelines v5.1, Part III)
     * Format: { 0x00, salt, subkey }
     */

    public static string HashPassword(string password)
    {
        if (password == null)
        {
            throw new ArgumentNullException("password");
        }

        // Produce a version 0 (see comment above) password hash.
        byte[] salt;
        byte[] subkey;
        using (var deriveBytes = new Rfc2898DeriveBytes(password, SaltSize, PBKDF2IterCount))
        {
            salt = deriveBytes.Salt;
            subkey = deriveBytes.GetBytes(PBKDF2SubkeyLength);
        }

        byte[] outputBytes = new byte[1 + SaltSize + PBKDF2SubkeyLength];
        Buffer.BlockCopy(salt, 0, outputBytes, 1, SaltSize);
        Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SaltSize, PBKDF2SubkeyLength);
        return Convert.ToBase64String(outputBytes);
    }

    Basically to address your concerns, it’s as secure as it needs to be without you having to go to any additional trouble.

    • 0