Is PasswordFormat.Encrypted secure for Asp.Net membership provider?

1
votes

I'm using the the membership provider on a site and it's worked well for years. Today, I revisited the site and am now concerned about the password format option. I need the ability for users to reset their password, but now we don't need password retrieval, although we need security Q&A before they reset. Below are some of the provider settings I'm using.

enablePasswordRetrieval="true" enablePasswordReset="true" passwordFormat="Encrypted"

Mainly, I'm concerned about the security of passwordFormat="Encrypted". PasswordFormat="Hashed" looks much tighter but with a lot of accounts in the database, I'm not sure how I would convert.

Is it possible to convert this late in the game? If not, is my site secure?

1
asp.netsecurityasp.net-membershipforms-authenticationmembership-provider

1 Answers

0
votes

Is it possible to convert this late in the game?

Encrypted password format uses reversible encryption, so there is a way. Maybe this will help: Changing passwordFormat from Encrypted to Hashed

If not, is my site secure?

The security of using hashed password protection is it uses a "one-way" algorithm. There is no key to reverse the scrambling of the data, only a method to determine if the supplied data (password) matches the hashed data.

So, using the reversible encryption, your passwords are only as safe as the encryption keys you use. If you store the machinekey in configuration, and you use protected configuration, your security will rest on the server's PKI certificate private key held locally on the web server. If you are concerned about the exposure of your server, you might want to change your password format. It's up to you.