27

I am using WebMatrix and have built a website based on the "StarterSite". In this starter site you get a nice basic layout - including registration, login, forgot password pages etc...

I've noticed that in the database that the "webpages_Membership" table has a column named "PasswordSalt". After creating a few new user accounts, this column always remains blank. So I'm assuming that no password salt (not even a default one) is in use.

Obviously this is not the best practice, however I cannot seem to find any documentation that tells me how to set or manage the password salt.

How can I set the password salt with the WebSecurity Helper?

Andreas
  • 5,251
  • 30
  • 43
Stuart Clement
  • 541
  • 6
  • 14

2 Answers2

36

The above answer gives the impression that there is no salting applied when using WebSecurity SimpleMembershipProvider.

That is not true. Indeed the database salt field is not used, however this does not indicate that there is no salt generated when hashing the password.

In WebSecuritys SimpleMembershipProvider the PBKDF2 algo is used, the random salt is generated by the StaticRandomNumberGenerator and stored in the password field with the hash:

byte[] outputBytes = new byte[1 + SALT_SIZE + PBKDF2_SUBKEY_LENGTH];
Buffer.BlockCopy(salt, 0, outputBytes, 1, SALT_SIZE); 
Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SALT_SIZE, PBKDF2_SUBKEY_LENGTH);
return Convert.ToBase64String(outputBytes);
Andreas
  • 5,251
  • 30
  • 43
  • 6
    Here's a post that goes into more detail: http://www.mikesdotnetting.com/Article/200/The-SimpleMembershipProvider-Secure-Passwords-And-The-Crypto-Helper – Bryan Oct 30 '12 at 16:41
  • As mentioned by [Mike Brind](https://www.mikesdotnetting.com/article/200/the-simplemembershipprovider-secure-passwords-and-the-crypto-helper), Simple membershipProvider actualy use salted hash. But the salt is grounded in the hash value. The password can be hashed by **System.Web.Helpers.Crypto.HashPassword(password)** and can be compared with plain password string through **System.Web.Helpers.Crypto.VerifyHashedPassword(hashed, password)** – Aryan Firouzian Oct 26 '17 at 22:38
4

As of the RTM release of WebMatrix/ASP.NET Web Pages, the salt feature/column is unused.

If you open up the Web Pages source, you'll see the db classes littered with references like

INSERT INTO [" + MembershipTableName + "] (UserId, [Password], PasswordSalt

...

VALUES (uid, hashedPassword,String.Empty /* salt column is unused */

shortened for emphasis

There are definately ways to override and implement this behavior, first being:

  • override System.WebData.SimpleMembershipProvider.CreateAccount()

or

  • extend with System.WebData.SimpleMembershipProvider.CreateAccountWithPasswordSalt()

not going to go into detail there though unless you request, as your usage of WebMatrix and a template suggests you probably don't wanna mess with rewriting a ton of your own C#/ASP code for this project.

Taylor Bird
  • 7,767
  • 1
  • 25
  • 31