So I figured I'd ask since you all seem to be a security-minded bunch and there are probably a bunch of programmers hanging about.
For my day job I've recently dusted off my C# hat to write some ASP.NET stuff for our intranet site and today for the first time, they didn't want an Active Directory based single-sign-on for a particular page. Now I've never used anything else via ASP.NET - it's basically the only reason I dust off the C# hat at all - super easy to do SSO in ASP.NET, giant pain in PHP.
Anyway, I found the whole process surprisingly easy. I've got a SQL database configured and secured, bumped up the hashing algorithm to SHA512, enforcing password complexity was as simple as setting a couple flags in Web.config... This is way too easy, right?
So aside from the troll-ish replies involving such classics as "Microshit" "Microshaft" "Micro$oft" etc. how good or bad IS the security built into ASP.NET's Membership Providers? Just glancing at the database it *seems* like they've done everything I would've done by hand but it also *seems* like it'd get used a lot more if it were all that secure.
Is it just a cost-of-entry thing? Anti-Microsoft sentiment? Or is it actually broken in some way I've yet to identify?