?

Log in

ms_dot_net

Forms authentication help

« previous entry | next entry »
Dec. 25th, 2009 | 02:41 pm
posted by: larryv in ms_dot_net

A website I built for a client was given a security audit. Most of the stuff they came back with was relatively simple to implement but there was one that I can't find consise step by step instructions on how to implement on the web. It was with regards to the password. For this application the password is stored in the web.config file in clear text:
     <authentication mode="Forms">
        <forms loginUrl="~/admin/login.aspx" defaultUrl="~/admin/default.aspx" protection="All" timeout="30">
          <credentials passwordFormat="Clear">
            <user name="clientname" password="p@55w0rd" />
          </credentials>
        </forms>
      </authentication>

The reccomendation they gave was:
It is required to set the password format to a secure hashing method. Passwords should always be stored in a hashed form not in clear text. Also the password will have to be salted before a hash is created. Do not use weak or broken ciphers such as SHA1 or MD5. At a minimum, use SHA2 with a minimal of 256 bit encryption (a.k.a. SHA256).

Given that, can someone tell me what I have to change in my web.config and (I am assuming) in my login.aspx.cs?

Link | Leave a comment | Share

Comments {0}