1

I'm experimenting with using the Asp.Net SqlMembershipProvider, and am noticing in the aspnet_Membership table that the PasswordSalt field has the exact same value for every entry. Now, I am using the same password for every user in my testing, but this seems wrong. In production, if two users were to use the same password, that should be indistinguishable in the database because the password hash and salt should be different.

In the web.config membership section, I have passwordFormat="Hashed" set in the provider options.

What am I missing?

Random
  • 1,896
  • 3
  • 21
  • 33
  • Just asking for some background: Sounds like you're using Identity 1.0 is this correct? – Humpy Dec 18 '15 at 21:13
  • I'm assuming you are using the ASP.NET built in methods for generating passwords and salts? – kevindeleon Dec 18 '15 at 21:26
  • @Humpy, I'm using the SqlMembershipProvider that comes with v4.0 of the System.Web.dll. Not sure what you mean my Identity 1.0. – Random Dec 18 '15 at 21:30
  • @kevindeleon, yes, I'm using default functionality of the provider. – Random Dec 18 '15 at 21:30
  • He's talking about Identiy, which is actually a better solution than Membership if I remember correctly. http://www.asp.net/identity -- Better in that it's a more modern solution with better features and better security. – kevindeleon Dec 18 '15 at 21:39
  • Yeah, I believe that the SQLMembershipProvider was before the time of Identity. Identity might be a better solution for you. It's more secure and it's normally set up straight out of the box and is very simple to set up. Normally, if you create a webforms or mvc app, and fix the connection string and register a user for the first time, it will automatically create the tables for you with all the relationships. Identity 1.0 used tables similar to what you mentioned.. aspnet_membership. You can get started here. http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity – Humpy Dec 18 '15 at 21:48
  • @Humpy, thanks for the link. I actually was not up-to-date on the Identity upgrades. For what I'm looking at though, I need to investigate the question in relation to Membership, not Identity. – Random Dec 18 '15 at 21:57
  • Just for giggles, did you try a different user, with a different password? Is the salt also the same for that user (I hope not)? – kevindeleon Dec 18 '15 at 22:06
  • @kevindeleon Interesting, I did a test just now to verify, and it did give me a different salt, but I have evidence in the same table of the same salt with different password hash (obviously not ALL the test users had the same password). – Random Dec 18 '15 at 22:23

0 Answers0