1

I've have an asp.net web app, forms authentication, that's uses Hashed password type. Will I run across any problems if I change the password type to Encrypted?

I see that, if I change to Encrypted, attempted password recovery for old hashed passwords fails gracefully, which is good. Are there any not so good things that might show up if I change.

If someone changes their password after I make the change to Encrypted the password type stays as Hashed. Is there any way to force it to store the new password as Encrypted instead?

GEOCHET
  • 21,119
  • 15
  • 74
  • 98
Mr. Flibble
  • 341
  • 2
  • 9
  • 21

1 Answers1

2

if I change the password type to Encrypted?

Why?

Hashed is safer (password recovery: generate a new password and send that).

The only reason I can see to use encrypted is if the passwords are needed by the system itself (e.g. to authenticate to another system as the user).

Richard
  • 106,783
  • 21
  • 203
  • 265
  • The system does not to be rock solid secure. I want the users to be able to retrieve their password. Having the extra step of reseting a password, logging in and changing the password back to something memerable may be one step too many between trying to buy something and buying something. – Mr. Flibble Feb 17 '09 at 22:33
  • I suppose it really depends very much on how often users have forgotten their passwords. – Richard Feb 18 '09 at 10:34
  • 2
    Whenever I hear that a system does not need to be all that secure, I immediately suspect security theatre... which may be an accurate description of most web shops, now that I think about it. – Pontus Gagge Mar 10 '09 at 01:43
  • @Pontus: indeed... and the way people tend to reuse passwords means many a site is competing to be the weakest link. – Richard Mar 10 '09 at 11:28