How secure is basic forms authentication in asp.net?

Question

Imagine that you have a simple site with only 2 pages: login.aspx and secret.aspx. Your site is secured using nothing but ASP.net forms authentication and an ASP.net Login serv

Answer 1

Well, try and look behind the scenes:

Password Protection

Applications that store user names, passwords, and other authentication information in a database should never store passwords in plaintext, lest the database be stolen or compromised. To that end, SqlMembershipProvider supports three storage formats ("encodings") for passwords and password answers. The provider's PasswordFormat property, which is initialized from the passwordFormat configuration attribute, determines which format is used:

• MembershipPasswordFormat.Clear, which stores passwords and password answers in plaintext.
• MembershipPasswordFormat.Hashed (the default), which stores salted hashes generated from passwords and password answers. The salt is a random 128-bit value generated by the .NET Framework's RNGCryptoServiceProvider class. Each password/password answer pair is salted with this unique value, and the salt is stored in the aspnet_Membership table's PasswordSalt field. The result of hashing the password and the salt is stored in the Password field. Similarly, the result of hashing the password answer and the salt is stored in the PasswordAnswer field.
• MembershipPasswordFormat.Encrypted, which stores encrypted passwords and password answers. SqlMembershipProvider encrypts passwords and password answers using the symmetric encryption/decryption key specified in the configuration section's decryptionKey attribute, and the encryption algorithm specified in the configuration section's decryption attribute. SqlMembershipProvider throws an exception if it is asked to encrypt passwords and password answers, and if decryptionKey is set to Autogenerate. This prevents a membership database containing encrypted passwords and password answers from becoming invalid if moved to another server or another application.

So the strength of your security (out of the box) will depend on which password protection format strategy you are using:

• If you use clear text, it is obviously easier to hack into your system.
• Using Encrypted on the other hand, security will depend on physical access to your machine (or at least, machine.config).
• Using Hashed passwords (the default) will guarantee security depending on: a) known reversals of the hashing strategy of RNGCryptoServiceProvider class and b) access to the database to compromise the randomly generated salt.

I do not know if it is possible to use some sort of rainbow table hack into the default Hash-base system.

For more details, check out this link: http://msdn.microsoft.com/en-us/library/aa478949.aspx