U4-8643 - Usermanagement - Store password algorithm in Usertable

Created by Jeffrey Schoemaker 22 Jun 2016, 14:47:10 Updated by Stephan 28 Jul 2017, 10:26:54

Relates to: U4-10089

Subtask of: U4-8632

In the current Umbraco versions you can specify whether you want your password hashed or encrypted (of course you want your password hashed )

But you can't update the passwordalgorithm later on, because the password algorithm itself is not stored on the user. Preferably it it stored on the user, so you can update your policy on a later moment (because a new passwordalgorithm is available or you have new insights on encrypting passwords). This can be in a seperate column or in the passwordfield itself (like it's done with the salt).

If you do this, there's also a migrationpath possible when upgrading your install and it's not a problem any longer to change/upgrade the algorithm in a minor version release.

#1 If this feature is implemented; look at the current settings and update the UmbracoUser-table with these settings. #2 If a user logs on with a correct username/pwd-combination AND the algorithm has changed; rehash the password with the new algorithm-policy and store that.

p.s.: It's not a problem to store the password algorithm from a security perspective. As Kerckhoff already stated in the 1883; the password should be kept secret, not the algorithm (https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle).

Comments

Shannon Deminick 19 Jul 2017, 10:06:55

I've started this https://github.com/umbraco/Umbraco-CMS/pull/2059

new db column created and migrated with current info, now to wire up this data with the password hasher (tomorrow)


Shannon Deminick 20 Jul 2017, 04:04:55

This is all ready:

  • Have added a new column to the the user table to store a JSON config value of how the password is stored
  • Have added migration scripts to create this field along with storing the current hashing algorithm type in there
  • Have updated most of the user password APIs to use ASP.NET Identity APIs, everything is still backwards compat (I still have more TODOs to finish that but can do that outside of this task)
  • Created a new IUserAwarePasswordHasher which will be the default password hasher used for new installs ... however it still just falls back to the original way that password hashing is currently done but we are now ready to do this: http://issues.umbraco.org/issue/U4-10089
  • Updated the default user membership provider config values (much cleaner)
  • If anyone has legacy values set, then the password hashing and management will use the old membership provider way. These legacy values are: AllowManuallyChangingPassword and DefaultUseLegacyEncoding, if either of these are set then the new IUserAwarePasswordHasher will not be used

To test:

  • You'll need to force the upgrader to run so change your web.config version to 7.6.0
  • Test that the db column was created and is populated
  • Login/logout should work
  • Create a new user, then login and logout with them
  • Ensure you can change a user's password in the back office - you should either make sure you have AllowPasswordReset to true in your users membership provider, or change your users membership provider to be the new config (see web.template.config) then make sure you can log in and out with that user


Jeffrey Schoemaker 20 Jul 2017, 06:58:55

Great work;

would it now also be possible to update the algorithm and it's still possible to login and the old password get rehashed with the newly set algorithm?


Shannon Deminick 20 Jul 2017, 11:24:10

No, as i said all of that plumbing can come later this is just to get this all working with the new column and the base code/classes to enable that.


Sebastiaan Janssen 20 Jul 2017, 14:23:31

@Shandem Unfortunately at the moment this has the usual chicken and egg problem: can't upgrade because I can't log in because the umbracoUser2UserGroup table doesn't yet exist.


Shannon Deminick 24 Jul 2017, 05:04:59

@sebastiaan yes that is the thing this fixes: http://issues.umbraco.org/issue/U4-10138 ... so might have to wait until @zpqrtbnk reviews and merges that in.


Stephan 28 Jul 2017, 10:26:14

did a successful upgrade from 7.6 and got the new passwordConfig table field, can log in and out, can change password = fine, merging

(note that for the time being, we don't use that info and just fallback to the original hashing)


Priority: Normal

Type: Feature (request)

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: False

Fix Submitted:

Affected versions:

Due in version: 7.7.0

Sprint: Sprint 64

Story Points: 3

Cycle: