[Owasp-leaders] [Owasp-lea​ders] .Net and password hashing related question..

Nishi Kumar nishi.kumar at owasp.org
Thu Jun 7 22:14:21 UTC 2012

Hi All,

I am trying to figure out answers to these questions. Can somebody
help me with this.

.NET comes with SqlMembershipProvider out of the box, which, among
other functions, provides password storage functionality in a
designated SqlServer database.
It can store passwords as clear text, encrypted or hashed, based on
configuration. The recommended choice is Hashed, and the latest
version of SqlMembershipProvider defaults to SHA256. However, the
version of hashing algorithm it uses is not FIPS 140 compliant. Among
the Hash implementations available in .NET, some are FIPS compliant,
and some are not. The questions are:

1) Can we have a list of FIPS-compliant Hash algorithms?
2) Will SqlMembershipProvider work with every one of these algorithms,
or are some of them not compatible with SqlMembershipProvider?

Nishi Kumar

IT Architect Specialist
OWASP CBT Project Lead

More information about the OWASP-Leaders mailing list