Reproduce SqlMembershipProvider Password Hashes

Question

We are migrating our user authentication from the provided .NET implementation to our own system.

We'd like to be able to support old passwords that exists in the aspNet_Membership table.

The Password and Salt reside in that table, so theoretically we could recompute the hash that the SqlMembershipProivder is using.

However, I can't seem to find anything describing the algorithm that is being used. Inpsecting the Membership provider tells me it is using HMACSHA256 to compute the hashes.

However, the stored password hashes are 20 bytes long, telling me they must do more than simply compute the sha256 hash of the password and salt.

Could the Membership Provider be lying? Is it using SHA1 or RIPEMD under the covers?

Alternatively, if I could just get access to the encryption provider they are using, I could just pass the old password and salt into it... I don't necessarily need to reinvent the wheel.

Answer 1

Yes, the Membership class might lying. It seems the SqlMembershipProvider must have the passwordCompatMode=Framework40 attribute in order to actually use the hashing and encryption options that were added in ASP.NET 4. Without that it uses a legacy compatibility mode that ignores the Membership hash algorithm and defaults to SHA1. Create an instance of your SqlMembershipProvider and look at the _LegacyPasswordCompatibilityMode property in the debugger as well as the private s_HashAlgorithm member (which only gets set after it hashes a password). They will probably show you "Framework20" and "SHA1" respectively. Thanks for your question, it helped me find the answer.

Here is my question and answer with more details: https://stackoverflow.com/a/34280119/263832

Answer 2

If the password format is 1 then you cant recompute the hash - its a non reversible algorithm.

You can change the passwordformat for each user as you go and set new passwords.