password configuration question

[Tom]

Ok, I took over a web app that is using the login control provided by
asp.net 2.0. In the config file the developers added a param as such:

<machineKey validationkey=" and a hole mess of letters and numbers "
decryptionKey= " again a mess of numbers and letters " validation="SHAI"
/>


then in the membership configuration, it hwas <passwordFormat=encrypted />

I tried to decrypt a password in the test db and it doesn't work, so in this
scenario, how is the password really stored? Is it HASHED or is it encrypted
or what?

 

[Cowboy \(Gregory A. Beamer\)]

Machine key does not determine how the info is stored. It is determined by
passwordFormat under the provider used under the MembershipProvider tag
(web.config). You can store as encrypted.

Even if encrypted, not hashed, you have to use question 1 to decrypt the
password, unless you create your own custom provider or do not use a
security question (which may require a custom provider). Since this value is
also encrypted, you have to decrypt it or ask the user, or store somewhere
else (defeating the purpose). Your other option is to reverse engineer MS's
salted encryption scheme. I have partially done this, but it is quite time
consuming, as you end up culling through a lot of source to do this.