We transfer user authentication from the provided .NET implementation to our own system.
We would like to be able to support old passwords that exist in the aspNet_Membership table.
The password and salt are in this table, so theoretically we can recompile the hash used by SqlMembershipProivder.
However, I can not find anything that describes the algorithm used. Enabling the membership operator tells me that it uses HMACSHA256 to calculate hashes.
However, the stored password hashes are 20 bytes long, telling me that they should do more than just calculate the password and salt sha256 hash code.
Can a membership provider lie? Is SHA1 or RIPEMD used under covers?
Alternatively, if I could just access the encryption provider that they use, I could just pass the old password and salt into it ... I don't have to reinvent the wheel.
source
share