Given a site that uses the default ASP.NET Membership Provider and the membership password format is configured to use hashing and the hash algorithm is SHA1 (the default; same one used by LinkedIn) and assuming the membership database is breached, are there any additional steps that can be taken to further mitigate exploitation of said data?
From quickly looking at the membership schema, passwords seem to utilize a salt key. Is this measure sufficient?
To make things short: for storing passwords, you should never go with MD5, SHA1, SHA256, SHA512, SHA-3, etc... bcrypt is the only safe way to store a password.
Here is the why of the affirmation above:
Since my question a while back
I started to use BCrypt as my password hashing code, and from what I keep reading, even if you get hold of the users table, it is pretty difficult from that get the plain text of the storage password.
I use this in my Custom Membership Provider so I get to host my own passwords.
From the blog post:
Why BCrypt? Most popular password storage schemes are based on fast hashing algorithms such as MD5 and SHA-1. BCrypt is a computationally expensive adaptive hashing scheme which utilizes the Blowfish block cipher. It is ideally suited for password storage, as its slow initialization time severely limits the effectiveness of brute force password cracking attempts. How much overhead it adds is configurable (that's the adaptive part), so the computational resources required to test a password candidate can grow along with advancements in hardware capabilities.
From codahale.com you can also read How to safely store a password as well...
By the way, BCrypt project is on Codeplex
