Encrypt passwords in ASP.NET membership provider DB

Question

I have a legacy application that uses the ASP.NET membership provider w/ SQL backend. The passwords in the database are set to clear. I would like to encrypt these passwords while preserving the individual passwords. How can I programatically go about accomplishing this?

I know that in order for ASP.NET to recognize the change, I'll need to change the database password format, password salt, and the password itself. I'll also need to change the password format in the ASP.NET configuration to use the encrypted password format.

Essentially, I would need to generate a salt, grab the password, apply an encryption to the password, but I'm a little lost on how to actually encrypt the password.

Answer 1

I suggest you to hash them with a salt.

This web page contains everything you need to hash: http://www.obviex.com/samples/hash.aspx

You have to iterate trought your records and update them.

Then change the password checking logic in your code.

Answer 2

When you say you want to encrypt these passwords by still preserving the individual passwords, I'm assuming you mean that you don't want to have the user's passwords be changed.

I would suggest you do a test run on this (I'm sure you would anyways).

Reference this post for the internals of how the SHA1 hashing works. http://stackoverflow.com/questions/2547397/how-to-create-a-asp-net-membership-provider-hashed-password-manually

1. Create a small app to connect to the database and hash all the passwords.

2. Update the config for your application to Hash the passwords (remove the "Clear" directive as hashing is the default.