SHA-1 in Forms Authentication now insecure

D

David Rees

The Forms-encryption module includes a handy (if long-winded) hash function:
FormsAuthentication.HashPasswordForStoringInConfigFile

It only supports MD5 and SHA1, but ages ago MD5 was torn apart, and more
recently
(http://it.slashdot.org/article.pl?sid=07/01/20/1936257&threshold=2) they've
broken SHA-1, so obviously we're going to need something a little stronger.
I was thinking SHA-256, but that's too similar to SHA-1.

Fortunately I don't use .HashPasswordForStoringInConfigFile much (I think...
twice in my last application), but I'll need something more beefier. A quick
Reflection of the method shows SHA1 and MD5 support is hard-coded.

What hash functions do you suggest and are easy enough to implement in .NET?
 
G

Guest

Dave,
I'm not one to attempt to minmize the risks of hacking attacks, but
realistically, the fact that "somebody" was able to to break SHA-1 in a
laboratory-type environment, and the likelihood that that "somebody" would
ever be able to successfully find, target and break your specific application
are two highly unrelated situations, no?
Peter
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

forms authentication 0
Forms authentication cookie handling question (C#) 4
ASP.NET Forms Authentication Best Practices 0
comp.lang.c Answers to Frequently Asked Questions (FAQ List) 1

Members online

Total: 22 (members: 1, guests: 21)
Robots: 489

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top