Different hash algorithm for ASP.NET Membership provider?

Question

Does anyone know if it is possible to configure the ASP.NET membership API to use SHA-256 or SHA-512? I don't really want to have to go down the line of writing my own and our employer has an encryption policy that does not allow MD5 or SHA-1. All i can find from Microsoft is the the HashAlgorythmType enum

...but this only contains MD5 and SHA1

Thanks,

Keeno

Answer 1

This answer can help. ASP.NET Membership Provider can now use PBKDF2 (much better than SHA1, SHA256-SHA512): https://stackoverflow.com/a/60273188/2508781

Answer 2

Looks like it is indeed possible (assuming you are using SqlMembershipProvider). It supports SHA1, MD5, SHA256, SHA384 and SHA512

SqlMembershipProvider uses this code to instantiate hashing algorithm:

// MembershipPasswordFormat.Hashed
HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
bRet = s.ComputeHash(bAll);

Membership.HashAlgorithmType (of type string) is the hashAlgorithmType attribute of the membership element in the Web.config

For the full list of all possible values see: http://msdn.microsoft.com/en-us/library/wet69s13(v=vs.100).aspx

Answer 3

You can change the hash algorithm with the hashAlgorithmType attribute. Also you can map algorithm names to classes. So if you want algorithm other than MD5 and SHA1 add new mappings.

For more information see:
membership Element (ASP.NET Settings Schema)
Membership.HashAlgorithmType Property

Answer 4

ACtually the format is determined by the passwordFormat attribute of the .../membership/providers/add element in the configuration file which defines settings for the provider.

The possible values are given by the MembershipPasswordFormat enumeration which provides no control over the hash algorithm used.