Mastodon

5 minute wonders: The ASP.NET membership provider

04 October 2011

Consider this guidance now deprecated! The membership provider stored passwords as a salted SHA1 hash which is insufficient by today's standards and easily cracked. Refer instead to ASP.NET identity which is a sufficient stronger and more modern implementation.

Often times I’ll have a discussion with a software vendor or developer about implementing a particular piece of functionality or performing a certain task which I perceive as easy but they’ll come back with some sort of outlandish estimate.

“Securely implement an authentication mechanism? 3 weeks please!”

“Identity network performance issues in a web app? Hmmm, maybe 2 or 3 days.”

And so on and so forth. Part of my day job is to try and get the most bang for buck from my employer’s hard earned dollars so I’ll usually revert with something like “Hang on – I’m not asking you to fly to the moon, this should be a 5 minute job.” Perhaps it’s just the ingratiating nature of some people, but I’ll often hear something along the lines of “Ah, but you’re very smart!” Uh, no, that’s not the reason.

I simply know some shortcuts, that’s all. They’re not necessarily high tech and often they’re reasonably well known but they’re the sort of thing where if you don’t know about it, you end up blowing days or weeks or simply putting it in the “too hard” basket and missing out on some of the goodness which is out there at your disposal.

The idea of “5 minute wonders” is to show how simple development life can be using some of these tricks (hat tip to Jim Hare for inspiring the title with his Little Wonders series). They’ll all be videos, they’ll never run for more than 5 minutes and they’ll always be practical. They’ll be old hat to many people but for others, it will be a new world they didn’t know already existed right in front of them.

The ASP.NET membership provider

An easy choice for the first wonder, the joy of the ASP.NET membership provider is that it takes something that is time consuming to build and frequently fraught with security holes big enough to drive a truck through and makes it really, really easy. In fact this is closer to four minutes including starting with no project, no database and narrating the whole thing as I went along. Enjoy:

References

The command issued in the Visual Studio command window was aspnet_regsql.

For more information on the membership provider, see How To: Use Membership in ASP.NET 2.0.

Security .NET 5 Minute Wonder
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Upcoming Events

I often run private workshops around these, here's upcoming events I'll be at:

Must Read

Don't have Pluralsight already? How about a 10 day free trial? That'll get you access to thousands of courses amongst which are dozens of my own including:

  1. OWASP Top 10 Web Application Security Risks for ASP.NET
  2. What Every Developer Must Know About HTTPS
  3. Hack Yourself First: How to go on the Cyber-Offense
  4. The Information Security Big Picture
  5. Ethical Hacking: Social Engineering
  6. Modernizing Your Websites with Azure Platform as a Service
  7. Introduction to Browser Security Headers
  8. Ethical Hacking: SQL Injection
  9. Web Security and the OWASP Top 10: The Big Picture
  10. Ethical Hacking: Hacking Web Applications