将ASP.NET会员密码从加密转换为哈希

Question

I've developed a website that uses ASP.NET membership. Based on comments from previous sites, I decided to encrypt passwords so they could be recovered for users who forgot them.

However, the new site (which now has over 500 registered users) has brought me some criticism that the industry standard is really to hash passwords.

However, after a fairly extensive search, I have been unable to find anything about how to convert existing users' passwords from encrypted to hashed.

I know I can change the web.config file, and new users' passwords will use the new format. But it does nothing to update the existing users.

Note: I previously asked a similar question but mostly just got a debate about which is better, encrypted or hashed. I'm past that discussion but I've been unable to find a way to convert them without losing the hundreds of users already registered.

Answer 1

it seems you already know how to decrypt the passwords and change the web.config file, but you're stuck with how to implement the rest of the process.

using ILSpy , here's how to generate the salt for each user:

byte[] array = new byte[16];
new RNGCryptoServiceProvider().GetBytes(array);
return Convert.ToBase64String(array);    

once you have the salt, here's how to generate the password:

byte[] bytes = Encoding.Unicode.GetBytes(pass);
byte[] array = Convert.FromBase64String(salt);
byte[] array2 = new byte[array.Length + bytes.Length];
Buffer.BlockCopy(array, 0, array2, 0, array.Length);
Buffer.BlockCopy(bytes, 0, array2, array.Length, bytes.Length);   
using (SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider()) {
  return Convert.ToBase64String(sha1.ComputeHash(array2));
}

where pass is the plain-text password you calculated, and salt is the string calculated in the first code snippet above. the default algorithm is SHA1 , if you're wondering why it's being used.

since this is a one-time process, i would write a HTTP handler to manually update the database during a short, scheduled maintenance period - hopefully you have that luxury. (obviously make a backup and test first). you need to update the following fields in the aspnet_Membership table:

1. Password - calculated above
2. PasswordFormat - 1
3. PasswordSalt - calculated above

never had to do anything like this, but hopefully that will get you started :)

Answer 2

Maybe I'm missing something here, but it should be pretty simple. Create a process to decrypt the password, then salt accordingly and store the hash of the salt + user's decrypted password in the database. Obviously you don't want to be hashing the user's encrypted password. Don't forget to store the salt too.

Answer 3

IMHO, Greg's response (and the associated comments) on your previous question ( Changing passwordFormat from Encrypted to Hashed ) is the way to go. Essentially, you want to:

1. Add a hashed membership provider
2. Loop through all of the encrypted password users,
3. For each one decrypt the password, create the hash, store it, delete the encrypted version from the database, and move on.

When you are done, all of the encrypted password users should be converted to hashed.