11.6. Using Custom Hash Algorithms

The <membership /> configuration element includes the hashAlgorithmType configuration attribute. By default the Membership feature (or more specifically the SqlMembershipProvider) uses SHA1 when storing passwords. You can set this attribute to any string that the .NET Framework recognizes as a valid hashing algorithm, and the SqlMembershipProvider will use that algorithm instead. If you look at the documentation for the System.Security,Cryptography.HashAlgorithm class's Create method, there is a list of the default strings (that is, simple names) that the .NET Framework recognizes and supports for referring to hash algorithms. Any one of these strings can be used in the hashAlgorithmType attribute. You can retrieve the name of the hashing algorithm configured for the Membership feature by getting the value of the Membership.HashAlgorithm property.

Although the hash algorithm is a feature-level setting, it is really more of an opt-in approach for individual providers. The setting on the <membership /> element would be useless if individual Membership providers didn't explicitly read the value from the Membership.HashAlgorithm property and then internally make use of the correct algorithm. Currently, the hashing functionality for the SqlMembershipProvider calls an internal method on MembershipProvider. This internal method, in turn, creates the appropriate hash algorithm based on the hashAlgorithmType attribute and then hashes the password with ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.