We have moved to GitHub Issues
You are viewing the read-only archive of Umbraco's issue tracker. To create new issues, please head over to GitHub Issues.
Make sure to read the blog posts announcing the move for more information.
Created by wtct 08 Oct 2013, 13:08:12 Updated by Shannon Deminick 18 Oct 2013, 05:30:36
Relates to: U4-532
Relates to: U4-2124
Relates to: U4-3084
Relates to: U4-3089
Relates to: U4-3158
Relates to: U4-3174
Hi!
Probably I have posted this issue at codeplex long time ago but it is still not fixed :)
The EncodePassword method doesn't recognize standard ASP.NET setting of membership provider which is MembershipPasswordFormat. When I upgrade Umbraco I always have to modify this method because I have imported members with md5 hashed passwords.
Please take a look at modified source code of this method:
///
I'm updating parts of the providers now and fixing this up too. However, the Membership.HashAlgorithmType has many more options than just "SHA1" and "MD5". Also, the HashPasswordForStoringInConfigFile format the hash as HEX whereas normal ASP.Net membership providers and the current Umbraco ones format the hashes as base64.
I've updated the membership/user provider to encrypt/hash correctly using the same code as the ASP.Net membership provider which does all of this properly - but by default we'll continue to use the current Umbraco way so it doesn't break compatibility. You'll be able to override this behavior by specifying a configuration option for the provider: "useLegacyEncoding='false'" which will use a better security standard.
In the meantime, to support all of the hashing algorithms very easily we have a simple new method that does this: HashAlgorithm.Create(Membership.HashAlgorithmType);
which will return the correct hash algorithm for any of the options, then it's just generic code to create the hash - but the salt isn't random in the current case whereas if you use useLegacyEncoding='false' then the hashing salt will be random.
Priority: Normal
Type: Usability Problem
State: Fixed
Assignee:
Difficulty: Normal
Category:
Backwards Compatible: True
Fix Submitted:
Affected versions: 4.8.0, 4.9.0, 4.10.0, 4.11.0, 6.0.0, 6.1.0, 4.9.1, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 6.0.1, 4.11.5, 6.0.2, 4.11.6, 6.0.3, 6.0.4, 4.11.7, 6.1.1, 6.0.6, 4.11.9, 6.0.5, 4.11.8, 6.0.7, 6.1.2, 4.5.0, 4.5.1, 4.8.1, 4.10.1, 4.11.10, 6.1.3, 6.1.4, 6.1.5, 6.1.6
Due in version: 7.0.0, 6.2.0
Sprint:
Story Points:
Cycle: