SHA-1 in Forms Authentication now insecure

  • Thread starter Thread starter David Rees
  • Start date Start date
D

David Rees

The Forms-encryption module includes a handy (if long-winded) hash function:
FormsAuthentication.HashPasswordForStoringInConfigFile

It only supports MD5 and SHA1, but ages ago MD5 was torn apart, and more
recently
(http://it.slashdot.org/article.pl?sid=07/01/20/1936257&threshold=2) they've
broken SHA-1, so obviously we're going to need something a little stronger.
I was thinking SHA-256, but that's too similar to SHA-1.

Fortunately I don't use .HashPasswordForStoringInConfigFile much (I think...
twice in my last application), but I'll need something more beefier. A quick
Reflection of the method shows SHA1 and MD5 support is hard-coded.

What hash functions do you suggest and are easy enough to implement in .NET?
 
Dave,
I'm not one to attempt to minmize the risks of hacking attacks, but
realistically, the fact that "somebody" was able to to break SHA-1 in a
laboratory-type environment, and the likelihood that that "somebody" would
ever be able to successfully find, target and break your specific application
are two highly unrelated situations, no?
Peter
 
Back
Top