Choosing a Password Format


If you use the SqlMembershipProvider, you have three choices for how user passwords (and password answers, which we'll talk about in the next section) should be stored. The MembershipPasswordFormat enumeration provides three options: Clear, Encrypted, and Hashed. The first option, Clear, should obviously be avoided in production scenarios. If you are forcing your users to take the time to log into your Web application, you'd better take the time to protect their passwords on the backend. For better or worse, many naïve users use the same password everywhere, and you need to take some basic steps to prevent passwords from casually leaking, even to authorized administrators.

So the choice really comes down to using Encrypted or Hashed password storage. If you choose the former, you need to supply an encryption key,[11] and if you ever lose that key, you won't be able to authenticate your users anymore, which is a bit of a drawback. There is one usability benefit to using Encrypted password storage: the password can be retrieved if the user forgets what it is, although how you communicate that password to the end user depends on your security posture (many Web sites e-mail passwords to forgetful users, which drives Keith bonkers). The PasswordRecovery control automates this if you decide you want this feature.

[11] Discussed further in the section titled A Word about Machine Keys.

The most secure option is to choose Hashed password storage. In this case, whenever a user's password is set, SqlMembershipProvider computes a one-way hash of the new password along with a random salt, and stores the hash and the salt value in the user's record in the membership database. That means there's no need for an encryption key, which ironically is a huge benefit: the fewer secrets you have, the better off you are!

When you choose Hashed, all you really have is a password verifier; there's no way to reverse that hash to retrieve the password. This means that if a user forgets her password, retrieving it is not an option; the GetPassword method will throw an exception. Of course, this doesn't mean that your membership database is uncrackable. Unless you're requiring users to have very long passwords, you must assume that an attacker who steals your membership database will eventually guess the passwords via a brute force or dictionary attack. This just buys you a bit of time to inform your users of the compromise. It'll also frustrate the administrator who decides to go poking around the membership database late at night when nobody is looking, and it'll do so without requiring a secret key.

With encrypted passwords, if the user forgets her password, you could use GetPassword to retrieve it for her. If you're storing hashed passwords, ResetPassword is what you should use instead. This method generates a random password for the user, hashes it, and stores the verifier in the user's record. It then returns the new password to you so that you can communicate it to the user. If the user doesn't like the password you've generated, she can always change her password, which is why the ChangePassword method exists. There's also a ChangePassword control that automates this, shown in Figure 5-7.

Figure 5-7. The ChangePassword control


There are additional configuration settings on the Membership provider that impact credential management. The first is PasswordFormat, which defaults to Hashed. Next is enablePasswordRetrieval, which is set to false by default, causing GetPassword to throw an exception if called. Note that if you want to avoid configuration exceptions, this attribute must be set to false if you're using the AD provider, or the SQL provider with PasswordFormat="Hashed". The enablePasswordReset attribute defaults to true. Setting it to false causes ResetPassword to throw an exception. When coupled with enablePasswordRetrieval="false", you get a Web site that forces the user to create a new account if she forgets her password. And finally, there's the requiresQuestionAndAnswer setting, which warrants its own discussion.




Essential ASP. NET 2.0
Essential ASP.NET 2.0
ISBN: 0321237706
EAN: 2147483647
Year: 2006
Pages: 104

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net