I'm using the ASP.NET membership provider. While testing, I overrode the machine.config and set my password to as follows
passwordFormat="Clear"
I removed the override (switching it back to the machine.config value of "Hashed").
- New accounts are being added with a hashed password.
- Reseting a password for an account created while the value was set to "Clear" does not hash the password. The passwords for these users remains in clear text.
TODO: To hash the accounts that were already added, I need to do <Researching this now -- hope I don't have to readd all of these users!>
UPDATE: Turns out, that in the Membership table in the Membership database, there is a record for each user. There are columns for Password, PasswordSalt and PasswordFormat. Once a user has been created, the PasswordFormat for that user is stored with the user. Changing web.config does not effect existing users.
I am going to delete / readd my test accounts. I could change the PasswordFormat myself, but it seems that is not supported by Microsoft. This is a membership database for a SharePoint extranet. Thankfully, I have not yet added the 150 extrernal users and set up their permissions within SharePoint yet.
Moral of this story: Do not add your users until you are sure which PasswordFormat you will be using in production. Changing it after the fact is not supported.
posted @ Wednesday, September 23, 2009 3:09 AM