WebMatrix WebSecurity PasswordSalt
Question
I am using WebMatrix and have built a website based on the "StarterSite". In this starter site you get a nice basic layout - including registration, login, forgot password pages etc...
I've noticed that in the database that the "webpages_Membership" table has a column named "PasswordSalt". After creating a few new user accounts, this column always remains blank. So I'm assuming that no password salt (not even a default one) is in use.
Obviously this is not the best practice, however I cannot seem to find any documentation that tells me how to set or manage the password salt.
How can I set the password salt with the WebSecurity Helper?
2 answers
solution1
36 ACCPTED 2012-05-02 15:25:51
The above answer gives the impression that there is no salting applied when using WebSecurity SimpleMembershipProvider .
That is not true. Indeed the database salt field is not used, however this does not indicate that there is no salt generated when hashing the password.
In WebSecurity s SimpleMembershipProvider the PBKDF2 algo is used, the random salt is generated by the StaticRandomNumberGenerator and stored in the password field with the hash:
byte[] outputBytes = new byte[1 + SALT_SIZE + PBKDF2_SUBKEY_LENGTH];
Buffer.BlockCopy(salt, 0, outputBytes, 1, SALT_SIZE);
Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SALT_SIZE, PBKDF2_SUBKEY_LENGTH);
return Convert.ToBase64String(outputBytes);
solution2
4 2011-02-25 14:29:10
As of the RTM release of WebMatrix/ASP.NET Web Pages, the salt feature/column is unused.
If you open up the Web Pages source, you'll see the db classes littered with references like
INSERT INTO [" + MembershipTableName + "] (UserId, [Password], PasswordSalt
...
VALUES (uid, hashedPassword,String.Empty /* salt column is unused */
shortened for emphasis
There are definately ways to override and implement this behavior, first being:
- override System.WebData.SimpleMembershipProvider.CreateAccount()
or
- extend with System.WebData.SimpleMembershipProvider.CreateAccountWithPasswordSalt()
not going to go into detail there though unless you request, as your usage of WebMatrix and a template suggests you probably don't wanna mess with rewriting a ton of your own C#/ASP code for this project.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.