one-way hashing and encryption with membership: passwords and secret answers
So I just wrapped up my whilrwind tour through Europe (I'm in Sweden, heading back home to the states tomorrow AM) and wanted to address a question that came up a few places with regards to our security system.
In Beta 1 we encrypted and hashed the passwords in the membership database by default, but not the secret answer to the secret question... my advice was if you want this, you can just customize the provider -- while this is true, that default behavior is not as secure as it needs to be.
In Beta 2 the secret answer will follow the settings for the password itself -- so if you have it set to use hashing and encryption the same will be used for the secret answer. Definitely better.
Hopefully that clears up any confusion :)
Comments
- Anonymous
March 14, 2005
webshot members - Anonymous
March 20, 2005
while this is true, that default behavior is not as secure as it needs to be. - Anonymous
March 22, 2005
Care to explain what you mean? What about this is not secure enough in your opinion?