Hi,

I am using the Umbraco Membership Provide in my Umbraco MVC project. One of the features for my users is the ability to reset the password in case a member has forgotten his. If a user wants to reset his password, the user first has to answer a password question. It's a quite familair pattern as far as I know.

In order to do that I have the following line in my web.config:

<add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" defaultMemberTypeAlias="customer" passwordFormat="Hashed" umbracoApprovePropertyTypeAlias="approved" umbracoLockPropertyTypeAlias="lockedOut" umbracoCommentPropertyTypeAlias="comments" umbracoLastLoginPropertyTypeAlias="lastLogonDate" umbracoPasswordRetrievalQuestionPropertyTypeAlias="passwordRetrievalQuestion" umbracoPasswordRetrievalAnswerPropertyTypeAlias="passwordRetrievalAnswer" />

The properties mentioned in the config file (e.g. umbracoLastLoginPropertyTypeAlias, umbracoPasswordRetrievalAnswerPropertyTypeAlias, etc.) are added to the member type. So now when a user is registered all the properties are filled. BUT...also the password retrieval answer is there. In plain text. Why is this one not stored according to the chosen password format. I mean the password answer is almost as good as a password. 

Is there a way to have this stored in a salted or hashed way as well, but still being able to use the ResetPassword feature of the Membership Provider?