Encrypt passwords in ASP.NET membership provider DB

Question

I have a legacy application that uses the ASP.NET membership provider w/ SQL backend. The passwords in the database are set to clear. I would like to encrypt these passwords while preserving the individual passwords. How can I programatically go about accomplishing this?

I know that in order for ASP.NET to recognize the change, I'll need to change the database password format, password salt, and the password itself. I'll also need to change the password format in the ASP.NET configuration to use the encrypted password format.

Essentially, I would need to generate a salt, grab the password, apply an encryption to the password, but I'm a little lost on how to actually encrypt the password.

Bad idea. You should hash the passwords and save the hashes -- there's no reason to retain the original passwords. — George Stocker
@George I agree. However, a business decision out of my control. — George Johnston
Oh, misunderstood: so you have a SqlMembershipProvider with PasswordFormat=Clear and you wants to change this to PasswordFormat=Hashed or Encrypted without forcing everyone to reset their password? You mention salt - so you want Hashed not Encrypted? Are your requirements recoverable-password or don't-force-password-change? — Rup

Dan Dan · Accepted Answer · 2010-07-19T14:13:15

When you say you want to encrypt these passwords by still preserving the individual passwords, I'm assuming you mean that you don't want to have the user's passwords be changed.

I would suggest you do a test run on this (I'm sure you would anyways).

Reference this post for the internals of how the SHA1 hashing works. How to create a asp.net membership provider hashed password manually?

Create a small app to connect to the database and hash all the passwords.
Update the config for your application to Hash the passwords (remove the "Clear" directive as hashing is the default.

Encrypt passwords in ASP.NET membership provider DB

2 Answers