> > The bare bare minimum. > > > http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux >
This is good thanks! I detest bloated generated code and always like to know how to strip it down to the minimum required. I also followed your link to "storing passwords" because coincidentally I'm right now helping some guys migrate an ancient licencing system stored in flat files over to SQL Server, and they store all the passwords as plain text. I sent them a serious email suggesting we only store password hashes, as you do with Rfc2898DeriveBytes, but I've had no reply, which means I'll have to elevate this up to face-to-face. I hope others here all agree that storing passwords in any reversible form is objectionable. I don't want anyone to get my passwords because I (foolishly) do reuse some of them and it leaves me vulnerable. What if the admin of Github uses my password there to get into my bank account?! (they are actually different passwords, but it's a good example). -- *Greg*
