Using passwordFormat with ASP.NET Membership

ASP.NET 2.0’s new membership provider allows for three different ways to protect user’s passwords via the passwordFormat attribute:

  • Clear: passwords are stored in clear text. Fine for non-sensitive applications.
  • Encrypted: passwords are encrypted. Note that you will have to put a hard-coded decryption key in the <machineKey> tag in your web.config or machine.config. Otherwise you’ll get a “You must specify a non-autogenerated machine key to store passwords in the encrypted format” error when trying to create users. To create a machineKey tag with a set of random tags, you can use my machineKey generator (source code included).
  • Hashed: passwords are not stored in the database at all, only an SHA-1 hash. This means passwords can not be retrieved at all — if a user forgets their password, they’ll have to request a new, randomly-generated one.

Below is an example of a <membership> tag using the Encrypted password format.

        <membership defaultProvider=“MySqlMembershipProvider” >
                <add name=“MySqlMembershipProvider”
                                requiresUniqueEmail=“false” enablePasswordRetrieval=“true”
                                enablePasswordReset=“true” requiresQuestionAndAnswer=“false”
                type=“System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />