SqlMembershipProvider.PasswordFormat 属性


获取一个值,该值指示 SQL Server 成员资格数据库中存储密码的格式。Gets a value indicating the format for storing passwords in the SQL Server membership database.

 virtual property System::Web::Security::MembershipPasswordFormat PasswordFormat { System::Web::Security::MembershipPasswordFormat get(); };
public override System.Web.Security.MembershipPasswordFormat PasswordFormat { get; }
member this.PasswordFormat : System.Web.Security.MembershipPasswordFormat
Public Overrides ReadOnly Property PasswordFormat As MembershipPasswordFormat


一个 MembershipPasswordFormat 值,它指示 SQL Server 数据库中存储密码的格式。One of the MembershipPasswordFormat values, indicating the format for storing passwords in the SQL Server database.


下面的代码示例演示 ASP.NET 应用程序的 web.config system.web文件的节中的成员身份元素。The following code example shows the membership element in the system.web section of the Web.config file for an ASP.NET application. 它指定应用程序的SqlMembershipProvider实例,并将其密码格式Hashed设置为。It specifies the application's SqlMembershipProvider instance and sets its password format to Hashed.

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">  
    <add name="SqlProvider"  
      applicationName="MyApplication" />  


Hashed Clear 使用Encrypted ,不安全。Use Hashed only, Clear and Encrypted are not secure. Hashed使用单向哈希算法和随机生成的 salt 值进行哈希处理,并将其存储在数据库中。Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. 验证密码时,会使用数据库中的 salt 值对其进行哈希处理,以便进行验证。When a password is validated, it is hashed with the salt value in the database for verification. 无法检索哈希密码。Hashed passwords cannot be retrieved. Encrypted密码不安全,因为泄露数据库内容也可以公开加密密钥。Encrypted passwords are not considered safe, as a breach that reveals your database contents can also expose the encryption key. 这意味着可以对加密的密码进行解密和公开。This means your encrypted passwords could be decrypted and exposed.

该值是在 ASP.NET 应用程序的 web.config 文件的 "提供程序" 部分中指定的。 PasswordFormatThe PasswordFormat value is specified in the providers section of the Web.config file for the ASP.NET application.

Encrypted默认Hashed情况下,基于在配置中的machineKey元素中提供的信息对和密码进行加密或哈希处理。Encrypted and Hashed passwords are encrypted or hashed by default based on information supplied in the machineKey element in your configuration. 请注意,如果3DES validation为属性指定值,或者如果未指定任何值,则SHA1将使用算法对哈希密码进行哈希处理。Note that if you specify a value of 3DES for the validation attribute, or if no value is specified, hashed passwords will be hashed using the SHA1 algorithm.

自定义哈希算法可以使用hashAlgorithmType 成员资格元素(ASP.NET 设置架构)配置元素的属性进行定义。A custom hash algorithm can be defined using the hashAlgorithmType attribute of the membership Element (ASP.NET Settings Schema) configuration element. 如果选择了 "加密",默认密码加密将使用 AES。If you choose encryption, default password encryption uses AES. 可以通过设置decryption machineKey配置元素的属性来更改加密算法。You can change the encryption algorithm by setting the decryption attribute of the machineKey configuration element. 如果要加密密码,则必须为decryptionKey machineKey元素中的属性提供显式值。If you are encrypting passwords, you must provide an explicit value for the decryptionKey attribute in the machineKey element. 将加密密码与AutoGenerate ASP.NET 成员decryptionKey身份结合使用时,不支持属性的默认值。The default value of AutoGenerate for the decryptionKey attribute is not supported when using encrypted passwords with ASP.NET Membership.

由于 SHA1 出现冲突问题,Microsoft 建议使用基于 SHA256 或更好的安全模型。Due to collision problems with SHA1, Microsoft recommends a security model based on SHA256 or better.