>>Has anyone actually managed to set a users' password (hashed) via aspnet_Membership_SetPassword in a silverlight app?
>>
>>I can do it in ASP.NET w/o problem. The System.Security.Cryptography class for ASP.NET seems to handle hashing (SHA1) exactly the way asp.net likes.
>>
>>System.Security.Cryptography in Silverlight naturally is different than the one available in asp.net. Using System.Security.Cryptography.SHA1Managed to hash a password generates what looks like a hash, but save it using aspnet_Membership_SetPassword and the user will not be able to log in again.
>>
>>So far, after most of the day spent searching/chasing dead ends/ etc I haven't found any code that actually works (in Silverlight).
>>
>>This is part of the Administration module I've been writing.
>>
>>for reference.. my password hasing classes..
>>
>> // This generates a secure 1 time salt to use when encrypting/assigning a password
>> public static string CreateSalt()
>> {
>> RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
>> byte[] buff = new byte[16]; // was [32]
>> rng.GetBytes(buff);
>> return Convert.ToBase64String(buff);
>> }
>>
>> //uses the Salt generated in CreateSalt to hash the passed-in password.
>> //The hashed password and the salt must be passed to aspnet_Membership_CreateUser to create the user
>> public static string EncodePassword(string pass, string salt)
>> {
>> byte[] bytes = Encoding.Unicode.GetBytes(pass);
>> byte[] src = Encoding.Unicode.GetBytes(salt);
>> byte[] dst = new byte[src.Length + bytes.Length];
>> System.Buffer.BlockCopy(src, 0, dst, 0, src.Length);
>> System.Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
>>
>> ////System.Security.Cryptography.
>> ////silverlight version
>>
>> SHA1 algorithm = new System.Security.Cryptography.SHA1Managed();
>> byte[] inArray = algorithm.ComputeHash(dst);
>>
>> //for asp.net version
>> //HashAlgorithm algorithm = HashAlgorithm.Create( "SHA1");
>> //byte[] inArray = algorithm.ComputeHash(dst);
>>
>> return Convert.ToBase64String(inArray);
>> }
>
>Hi,
>If it really is a hashing problem then I think Silverlight and .Net4 both have a concrete System.Security.Cryptograhy.SHA1ManagedClass. Maybe try using that in the ASP.NET version as well?
>
>Out of curiosity why are you encoding the password as well as hashing (and of what use is 'dst' since I can't see how you can reverse the process to get anything useful) ?

All the encoding.GetBytes does is format the password string as unicode bytes (SetPassword requires this).

I've managed to get this to work as follows..

// This generates a secure 1 time salt to use when encrypting/assigning a password
public static string CreateSalt()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[16]; // was [32]
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}

//uses the Salt generated in CreateSalt to hash the passed-in password.
//The hashed password and the salt must be passed to aspnet_Membership_CreateUser to create the user
public static string EncodePassword(string pass, string salt)
{

byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet;

Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
SHA1 algorithm = new System.Security.Cryptography.SHA1Managed();
bRet = algorithm.ComputeHash(bAll);

return Convert.ToBase64String(bRet);

}

So far, it seems to handle password changes w/no problem (aside from getting the #^@#ing thing to work)!