ASP.NET Membership Password Hash -- .NET 3.5 to .NET 4 Upgrade Surprise!

I'm in the process of evaluating how my team will upgrade our product from .NET 3.5 SP1 to .NET 4. I expected the upgrade to be pretty smooth with very few, if any, upgrade issues. To my delight, the upgrade wizard said that everything upgraded without a problem. I thought I was home free, until I decided to build and run the application. A big problem was staring me in the face -- I couldn't log on.

Our product is using a custom ASP.NET Membership Provider, but essentially it's a modified SqlMembershipProvider with some additional properties. And my login was failing during the OnAuthenticate event handler of my ASP.NET Login control, right where it was calling my provider's ValidateUser method.

After a little digging, it turns out that the password hash that the membership provider was using to compare against the stored password hash in the membership database tables was different. I compared the password hash from the .NET 4 code line, and it was a different generated hash than my .NET 3.5 code line. (Tip -- when upgrading, always keep a valid debug copy of your app handy in case you have to step through a lot of code.)

So it was a strange situation, but at least I knew what the problem was. Now the question was, "Why was it happening?"

Turns out that a breaking change in .NET 4 is that the default hash algorithm changed to SHA256. Hey, that's great -- stronger hashing algorithm. But what do I do with all the hashed passwords in my database that were created using SHA1?

Well, you can make two quick changes to your app's web.config and everything will be OK. Basically, you need to override the default HashAlgorithmType property of your membership provider. Here are the two places to do that:

  1. At the beginning of your <system.web>element, add the following <machinekey>element:
      <machineKey validation="SHA1" />
  2. On your <membership> element under <system.web>, add the following hashAlgorithmType attribute:
      <membership defaultProvider="myMembership" hashAlgorithmType="SHA1">

After that, you should be good to go! Hope this helps.
posted @ Tuesday, June 15, 2010 6:04 PM

Comments on this entry:

# re: ASP.NET Membership Password Hash -- .NET 3.5 to .NET 4 Upgrade Surprise!

Left by Amir Parsi at 3/4/2011 1:02 PM
I use .NET 3.5 and use login cotrols of I use createuserwizard control to create new users. The password is hashed, but because I don't know the hashing algorithm, I can not check the password out of this control. Can you help me? I don't want to use login controls to do that.

# re: ASP.NET Membership Password Hash -- .NET 3.5 to .NET 4 Upgrade Surprise!

Left by Fehim Dervišbegović at 8/4/2011 8:33 AM
Great article !

Amir, you can find more about hashing function in my article:

# re: ASP.NET Membership Password Hash -- .NET 3.5 to .NET 4 Upgrade Surprise!

Left by fatbooy at 4/8/2012 4:43 PM

thank you for your great article. But problem is that no hashing algorithm has chnaged for membership but only for viewstate and cookies. Like is said in you reference for changes in ASP.NET 4. So thank you very much I spent 3 hours solving problem with SHA256.

Next time read the article carefoully you je** before you write your own article.

# re: ASP.NET Membership Password Hash -- .NET 3.5 to .NET 4 Upgrade Surprise!

Left by Lelala at 3/12/2013 10:43 AM
What i do not understand, is, how is it possible to use SHA-3 with the built-in component?

Your comment:

(not displayed)


Live Comment Preview: