use the salt when using SimpleMembershipProvider
Possible Duplicate:
WebMatrix WebSecurity PasswordSalt
is there a way to have simpleMembershipProvider use the salt?
when I create my mvc4 web project and set the default connection to sqlexpress, then register, my users do not have a password salt
I would like for it to be as secure as it can without too much trouble.
The PasswordSalt column is unused, but salting is used when creating the hashed password that is stored in the Password field. You can see this if you look at the source code for the SimpleMembershipProvider: http://aspnetwebstack.codeplex.com/SourceControl/changeset/view/3a669e7112e7#src%2fWebMatrix.WebData%2fSimpleMembershipProvider.cs
Check the CreateUserAndAccount method. It uses the Crypto.HashPassword method:
/* =======================
* HASHED PASSWORD FORMATS
* =======================
*
* Version 0:
* PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
* (See also: SDL crypto guidelines v5.1, Part III)
* Format: { 0x00, salt, subkey }
*/
public static string HashPassword(string password)
{
if (password == null)
{
throw new ArgumentNullException("password");
}
// Produce a version 0 (see comment above) password hash.
byte[] salt;
byte[] subkey;
using (var deriveBytes = new Rfc2898DeriveBytes(password, SaltSize, PBKDF2IterCount))
{
salt = deriveBytes.Salt;
subkey = deriveBytes.GetBytes(PBKDF2SubkeyLength);
}
byte[] outputBytes = new byte[1 + SaltSize + PBKDF2SubkeyLength];
Buffer.BlockCopy(salt, 0, outputBytes, 1, SaltSize);
Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SaltSize, PBKDF2SubkeyLength);
return Convert.ToBase64String(outputBytes);
}
Basically to address your concerns, it's as secure as it needs to be without you having to go to any additional trouble.