Hello,
We have one ASP.NET web application which is build in .net framework 4.5 version. Currently on production this application is using SHA1 encrption alogorith.This alogorithm is set in "MachineKey" tag of application's web.config file. This applicaion uses Asp.Net Membership concept for maintaining Login credentials.
As the SHA1 alogorith is on verge of degradation so we want to update our application from SAH1 to SHA2. For this we have set "HMACSHA256" in "MachineKey" tag of application's web.config file.
After upgrading our application to SHA2 with above settings, we expect that the older users passwords(which was encrypted using SHA1 and already present in memebership database) will not work with SHA2 alogorithm. But it allows older users to login without any modification in previously encrypted password.
Can you please help us on following questies related to SHA1 to SHA2 migration:
Question 1 : Does the changes made in "MachineKey" tag of application's web.config file is enough/recommended for this migration?
Question 2 : As we are still able to login into the application using previosuly encrpted passwords, does the memebership database really uses the SHA2 encrption set in web.config file? Or we need to add some additional settings to enable SHA2 encrption on memebership database level? Please advice.
Please suggest if there is any best way to enable SHA2 encrption on Memebership database level.
Thanks,
Riz