Possible Duplicate:
WebMatrix WebSecurity PasswordSalt
is there a way to have simpleMembershipProvider use the salt?
when I create my mvc4 web project and set the default connection to sqlexpress, then register, my users do not have a password salt
I would like for it to be as secure as it can without too much trouble.
The PasswordSalt column is unused, but salting is used when creating the hashed password that is stored in the Password field. You can see this if you look at the source code for the SimpleMembershipProvider: http://aspnetwebstack.codeplex.com/SourceControl/changeset/view/3a669e7112e7#src%2fWebMatrix.WebData%2fSimpleMembershipProvider.cs
Check the CreateUserAndAccount method. It uses the Crypto.HashPassword method:
/* =======================
* HASHED PASSWORD FORMATS
* =======================
*
* Version 0:
* PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
* (See also: SDL crypto guidelines v5.1, Part III)
* Format: { 0x00, salt, subkey }
*/
public static string HashPassword(string password)
{
if (password == null)
{
throw new ArgumentNullException("password");
}
// Produce a version 0 (see comment above) password hash.
byte[] salt;
byte[] subkey;
using (var deriveBytes = new Rfc2898DeriveBytes(password, SaltSize, PBKDF2IterCount))
{
salt = deriveBytes.Salt;
subkey = deriveBytes.GetBytes(PBKDF2SubkeyLength);
}
byte[] outputBytes = new byte[1 + SaltSize + PBKDF2SubkeyLength];
Buffer.BlockCopy(salt, 0, outputBytes, 1, SaltSize);
Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SaltSize, PBKDF2SubkeyLength);
return Convert.ToBase64String(outputBytes);
}
Basically to address your concerns, it's as secure as it needs to be without you having to go to any additional trouble.
Quote from the documentation:
By design, the SimpleMembershipProvider class does not implement the full range of functionality that is possible in ASP.NET membership providers, as defined in the MembershipProvider class that is used by all ASP.NET membership providers. Some members are available in the class because they are inherited from the base class, but will throw an exception if you access them.
If your website requires the full membership provider capabilities, you can skip initialization of the Web Pages membership system (that is, do not call WebSecurity.InitializeDatabaseConnection()) and instead make sure that the standard membership and role providers are enabled. In that case, calls that you make to the SimpleMembershipProvider class are passed through to the standard provider (which is referred to as the previous provider in the SimpleMembershipProvider class documentation). For more information, see Configuring an ASP.NET Application to Use Membership.
The PasswordSalt field is one of those columns. If you look at the source code of the SimpleMembershipProvider you will notice that the PasswordSalt column is simply set to string.Empty:
if (database.Execute("INSERT INTO [" + MembershipTableName + "] (UserId, [Password], PasswordSalt, IsConfirmed, ConfirmationToken, CreateDate, PasswordChangedDate, PasswordFailuresSinceLastSuccess) VALUES (@0, @1, @2, @3, @4, @5, @5, @6)", new object[] { num, str, string.Empty, !requireConfirmationToken, obj3, DateTime.UtcNow, num2 }) != 1)
{
throw new MembershipCreateUserException(MembershipCreateStatus.ProviderError);
}
So if you want to use it you could write a custom membership provider that overrides the default one and generate the PasswordSalt yourself. You could override the CreateAccount method.
