We have moved to GitHub Issues
Created by wtct 08 Oct 2013, 13:08:12 Updated by Shannon Deminick 18 Oct 2013, 05:30:36
Relates to: U4-532
Relates to: U4-2124
Relates to: U4-3084
Relates to: U4-3089
Relates to: U4-3158
Relates to: U4-3174
Probably I have posted this issue at codeplex long time ago but it is still not fixed :)
The EncodePassword method doesn't recognize standard ASP.NET setting of membership provider which is MembershipPasswordFormat. When I upgrade Umbraco I always have to modify this method because I have imported members with md5 hashed passwords.
Please take a look at modified source code of this method:
I'm updating parts of the providers now and fixing this up too. However, the Membership.HashAlgorithmType has many more options than just "SHA1" and "MD5". Also, the HashPasswordForStoringInConfigFile format the hash as HEX whereas normal ASP.Net membership providers and the current Umbraco ones format the hashes as base64.
I've updated the membership/user provider to encrypt/hash correctly using the same code as the ASP.Net membership provider which does all of this properly - but by default we'll continue to use the current Umbraco way so it doesn't break compatibility. You'll be able to override this behavior by specifying a configuration option for the provider: "useLegacyEncoding='false'" which will use a better security standard.
In the meantime, to support all of the hashing algorithms very easily we have a simple new method that does this: HashAlgorithm.Create(Membership.HashAlgorithmType);
which will return the correct hash algorithm for any of the options, then it's just generic code to create the hash - but the salt isn't random in the current case whereas if you use useLegacyEncoding='false' then the hashing salt will be random.
Type: Usability Problem
Backwards Compatible: True
Affected versions: 4.8.0, 4.9.0, 4.10.0, 4.11.0, 6.0.0, 6.1.0, 4.9.1, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 6.0.1, 4.11.5, 6.0.2, 4.11.6, 6.0.3, 6.0.4, 4.11.7, 6.1.1, 6.0.6, 4.11.9, 6.0.5, 4.11.8, 6.0.7, 6.1.2, 4.5.0, 4.5.1, 4.8.1, 4.10.1, 4.11.10, 6.1.3, 6.1.4, 6.1.5, 6.1.6
Due in version: 7.0.0, 6.2.0