I am implementing ASP.NET Membership, using default SQL Provider, default web.config settings.
I notice that passwords are hashed. But I don't know how asp.net hash my passwords, so I am not sure whether it is possible for a hacker to decrypt this?
If asp.net use the same rule to hash password, which everyone knows. than a hacker can easily crack it.
for example. If asp.net use MD5(123456), which result is "E10ADC3949BA59ABBE56E057F20F883E", then a hacker may have a MD5 Dictionary to look up this.
My settings is:
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
-- SQL Statement:
SELECT am.UserId, am.[Password], am.PasswordSalt FROM aspnet_Membership am
-- The result is:
F10A635D-22DA-419C-84E6-767D2A35A010,tpeiwPt5+kFbcocQZOuc4aoHeuI=,PVq9dPtbFxze9Erbfd7HrA==
The password is 123456, it become "tpeiwPt5+kFbcocQZOuc4aoHeuI=".
Is this value always the same on different machines or different apps?
If this value has something to do with the salt "PVq9dPtbFxze9Erbfd7HrA==", is it possible for hackers to use this salt to decrypt my password?