A Simple Way to Hash Passwords in ASP.NET

If you’re developing a website that requires your users to create an account, it’s a very good idea to not store their passwords in plain-text in the database. A good chunk of users use the same password for just about everything, so if your database is compromised, there’s the possibility of having some real reprocussions for your users. Fortunately, it’s very easy to hash passwords in ASP.NET (and C# and Visual Basic in general).

Microsoft has provided us with a method called FormsAuthentication.HashPasswordForStoringInConfigFile that will hash your user’s passwords with MD5 or SHA-1 with a single line of code. Given the choice, I’d recommend SHA-1 because it’s generally considered more secure by the security community.

So what’s password hashing anyway?

Essentially, a hash function provides a means to take a string of text that you want to protect and encrypts it in such a manner that if the original text were ran through the function again, it would always generate the same result. Hash functions are generally a “one-way” encryption, so you can take the original password and turn it into the hashed password, but you can’t go back from the hashed password and turn it back into the original.

If you’d like a more technical explanation of password hashing, checkout this article on MathWorld.

Using the Function:

public static string PasswordHasher(string Password)
return FormsAuthentication.HashPasswordForStoringInConfigFile(Password, System.Web.Configuration.FormsAuthPasswordFormat.SHA1);

The above method will take a password that you enter and run it through the encryption function provided using the SHA1 format. You’ll get back a string with the generated hash of your password.

Overall, it’s a very nice quick and dirty way to hash a password in ASP.NET, although some might criticize its use. If you would like to at a SALT to your password, read this article at donetjunkies.


  1. […] recently covered an easy way to hash passwords using SHA-1 in .NET using either Visual Basic or C#. In most cases, SHA-1 encryption is “secure […]

Speak Your Mind