tags:

views:

56

answers:

2
+2  Q: 

SHA1 Password returns as cleartext after DB query

Hi.

I have a SHA1 password and PasswordSalt in my aspnet_Membership table. but, when I run a query from the server (a Sql Query), the reader reveals that the pass has returned as its cleartext equivalent.

I am wondering if my web.config configuration is causing this? 

<membership defaultProvider="CustomMembershipProvider" 
                userIsOnlineTimeWindow="20"
                hashAlgorithmType="SHA1">
      <providers>
        <clear/>
        <add  name="CustomMembershipProvider"
              type="Custom.Utility.CustomMembershipProvider"
              connectionStringName="MembershipDB"
              enablePasswordRetrieval="false"
              enablePasswordReset="true"
              requiresUniqueEmail="false"
              requiresQuestionAndAnswer="false"
              passwordStrengthRegularExpression=""
              minRequiredPasswordLength="1"
              minRequiredNonalphanumericCharacters="0"
              passwordFormat="Hashed"

thanks in advance...

A: 

OK, I figured this one out. The answer is "yes, there is a mechanism in web.config for decrypting my SHA1 pwd automatically. Note:

decryption="Auto"

<machineKey validationKey="MY Validateion Key"
            decryptionKey="My Decryption Key"
            validation="SHA1" decryption="Auto" />
Code Sherpa  2010-04-08 19:37:56
Wrong. SHA-1 cannot be "decrypted", it is a one-way hashing function. The SHA1 you see in `machineKey` relates to ViewState validation and is used to detect/prevent tampering. It has nothing to do with the membership system.
Aaronaught  2010-04-08 19:54:30
+1  A: 

You've used the right settings for the membership provider (specifically passwordFormat="hashed"), but you also have this line:

type="Custom.Utility.CustomMembershipProvider"

Setting passwordFormat="hashed" only tells whichever membership provider you're using that you want passwords to be hashed. If you use a custom membership provider, that provider has to be coded to honour the passwordFormat setting.

I'm 99% sure that the reason your passwords are being stored in clear text is because that's what the CustomMembershipProvider is programmed to do.

Aaronaught  2010-04-08 19:57:37
I am 100% sure that the reason the pwd is clear is because the `CustomMembershipProvider` is not programmed to encrypt passwords. The tone of OP's question denotes a bit of moisture behind the ears. But he will figure it out. ;-)
Sky Sanders  2010-04-08 20:07:12

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP