U4-3057 - MembershipPasswordFormat problem at EncodePassword method in UmbracoMembershipProvider class

Created by wtct 08 Oct 2013, 13:08:12 Updated by Shannon Deminick 18 Oct 2013, 05:30:36

Relates to: U4-532

Relates to: U4-2124

Relates to: U4-3084

Relates to: U4-3089

Relates to: U4-3158

Relates to: U4-3174

Hi!

Probably I have posted this issue at codeplex long time ago but it is still not fixed :)

The EncodePassword method doesn't recognize standard ASP.NET setting of membership provider which is MembershipPasswordFormat. When I upgrade Umbraco I always have to modify this method because I have imported members with md5 hashed passwords.

Please take a look at modified source code of this method:

///

/// Encodes the password. ///

/// The password. /// The encoded password. public string EncodePassword(string password) { string encodedPassword = password; switch (PasswordFormat) { case MembershipPasswordFormat.Clear: break; case MembershipPasswordFormat.Encrypted: encodedPassword = Convert.ToBase64String(EncryptPassword(Encoding.Unicode.GetBytes(password))); break; case MembershipPasswordFormat.Hashed: //Modified by WTC 01-08-2011 //HMACSHA1 hash = new HMACSHA1(); //hash.Key = Encoding.Unicode.GetBytes(password); //encodedPassword = // Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password))); switch (Membership.HashAlgorithmType) { case "SHA1": HMACSHA1 hash = new HMACSHA1(); hash.Key = Encoding.Unicode.GetBytes(password); encodedPassword = Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password))); break; case "MD5": encodedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "MD5"); break; } break; default: throw new ProviderException("Unsupported password format."); } return encodedPassword; }

Comments

Shannon Deminick 17 Oct 2013, 04:44:28

I'm updating parts of the providers now and fixing this up too. However, the Membership.HashAlgorithmType has many more options than just "SHA1" and "MD5". Also, the HashPasswordForStoringInConfigFile format the hash as HEX whereas normal ASP.Net membership providers and the current Umbraco ones format the hashes as base64.

I've updated the membership/user provider to encrypt/hash correctly using the same code as the ASP.Net membership provider which does all of this properly - but by default we'll continue to use the current Umbraco way so it doesn't break compatibility. You'll be able to override this behavior by specifying a configuration option for the provider: "useLegacyEncoding='false'" which will use a better security standard.

In the meantime, to support all of the hashing algorithms very easily we have a simple new method that does this: HashAlgorithm.Create(Membership.HashAlgorithmType);

which will return the correct hash algorithm for any of the options, then it's just generic code to create the hash - but the salt isn't random in the current case whereas if you use useLegacyEncoding='false' then the hashing salt will be random.

---