Membership Provider EncodePassword Method .NET 4.0

I am writing my own Custom Membership Provider but am using the Membership Providers own EncodePassword method which is shown below:

internal string EncodePassword(string pass, int passwordFormat, string salt)

{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
    return pass;

byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;

Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
    HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
    bRet = s.ComputeHash(bAll);
} else
{
    bRet = EncryptPassword( bAll );
}

return Convert.ToBase64String(bRet);
}

I now know after hunting around for a number of hours that in .NET 4 the algorithm used is HMACSHA256. I understand that i need a key for the algorithm to work correctly.

My question is how do it do this?

Do i put the key in the config file and reference it in 开发者_开发技巧some way?

Any help would be appreciated!

Thanks.

---

Don't use SHA!. Go and download BCrypt.Net. SHA is too fast at hashing which makes anything encrypted with it easy to brute force. BCrypt is slower due to a configurable work factor, so whilst imperceptable to the user, when trying to brute force 700m keys a second, you simply can't.

Once you have bcrypt all you need to do to hash is:

private static readonly int BCRYPT_WORK_FACTOR = 10;
string hashedPassword = BCrypt.Net.BCrypt.HashPassword(account.HashedPassword, BCRYPT_WORK_FACTOR);

and to check a password:

bool matched = BCrypt.Net.BCrypt.Verify(password, match.HashedPassword))

I have written this up in a bit more depth here http://www.danharman.net/2011/06/25/encrypting-hashing-passwords-for-your-website/