How to hash ASP.NET Forms Authentication passwords in web.config in VB.NET

Forms authentication offers the possibility of storing the password in different formats. In the <credentials /> configuration section of the <forms /> element, the format of the password is specified through the passwordFormat attribute, which has three valid values:

–  Clear – The passwords are stored as clear text in the <user /> elements of the <credentials /> section.

– MD5 – The hashed version of the password is stored in the <user /> elements, and the algorithm used for hashing the password is the MD5 hashing algorithm.

– SHA1 – The <user /> elements in the <credentials /> section of the web.config file contain the hashed password, and the algorithm used for hashing the password is the SHA1 algorithm. This value is the default for the passwordFormat option.

When you are planning to use hashed version of the password, you should develop a tool or write some code that hashes the passwords for you and stores them in the web.config file. For storing the password, you should use the FormsAuthentication.HashPasswordForStoringInConfigFile method instead of passing in the clear-text password as follows:

 

Dim HashedPwd As String = FormsAuthentication.HashPasswordForStoringInConfigFile(ClearTextPassword, “MD5”)

 

The first parameter specifies the clear-text password, and the second one specifies the hash algorithm you should use. The result of the method call is the hashed version of the password. You can store the result in the web.config (when using web.config as a storage for your user accounts) or in your own users database (when using a custom database for storing user information).

You can modify users stored in web.config by using .NET Framework configuration API. The next code lines show how you can modify the section from configuration API. This code typically is implemented as part of an administrative application for managing your web application, which should be available for administrators only.

 

Dim MyConfig As Configuration = WebConfigurationManager.OpenWebConfiguration(“./”)

Dim SystemWeb As ConfigurationSectionGroup = MyConfig.SectionGroups(“system.web”)

Dim AuthSec As AuthenticationSection = DirectCast(SystemWeb.Sections(“authentication”), AuthenticationSection)

AuthSec.Forms.Credentials.Users.Add(New FormsAuthenticationUser(UsernameText.Text, PasswordText.Text))

MyConfig.Save()

 

To use this configuration API, you need to import the System.Web.Configuration namespace into your application. Furthermore, you need to make sure to have a reference to the System.Configuration.dll assembly.