December 4, 2008 Membership Password Hashing Algorithm

Filed under: Uncategorized — Tags: , , — yasi8h @ 1:47 am

Recently i had the chance to work with membership( after deciding on adding the database schema required by to our application database it self. there were some questions left on how to use the data in these ( services)tables(the data related to user logins were in aspnet_Membership table) with some other non server side application who use the same database. specifically i needed to find out how password hashing algorithm works. so when another application wants to use the that user login data for something, it knows how to generate the correct hash and do the authentication for the users.

It was apparent that it was using a “hash + (random?)salt per user” to store the passwords(well after all this is configurable. in my case it was configured to use ‘hash’ method to store the passwords for the users).  after much googling i found out that there are some options that we can give on what hashing algorithm to use via <machineKey> element in the config file. this article noted that by default used SHA1. but still i didn’t know how it exactly generated the hash(ie: is it password + salt or is it salt + password…etc). so i used Reflector to find out. the interesting code is in System.Web.Security.MembershipProvider.EncodePassword.

so with that code(- some unneeded logic) you can successfully generate the same password hash that asp would.

internal string EncodePassword(string pass,  string salt)
   byte[] bytes = Encoding.Unicode.GetBytes(pass);
   byte[] src = Convert.FromBase64String(salt);
   byte[] dst = new byte[src.Length + bytes.Length];
   byte[] inArray = null;
   Buffer.BlockCopy(src, 0, dst, 0, src.Length);
   Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

   HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
   inArray = algorithm.ComputeHash(dst);

   return Convert.ToBase64String(inArray);

hope this helps someone/myself(in the future)



  1. great job mate! that’s excactly what I was looking for, cheers

    Comment by rob — April 24, 2009 @ 1:42 pm

  2. Worked like a charm. Thank you

    Comment by Sean — October 5, 2010 @ 5:03 pm

  3. Hi iam getting error here

    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

    Here is the Error

    ‘bool’ does not contain a definition for ‘BlockCopy’ and no extension method ‘BlockCopy’ accepting a first argument of type ‘bool’ could be found (are you missing a using directive or an assembly reference?)

    Please give me suggestion to get out of it.

    Comment by Srinivas — April 26, 2011 @ 6:52 am

  4. In this case we think on System.Buffer class so you shoud use

    System.Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    System.Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

    I also wrote similar article:

    Also I have one question! Is it possible to rewrite this function in MSSQL without calling dll-s from it ?


    Comment by Fox — August 4, 2011 @ 12:29 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: