U4-8644 - Usermanagement - Default hashing algorithm

Created by Jeffrey Schoemaker 22 Jun 2016, 15:06:34 Updated by Shannon Deminick 03 Jul 2017, 01:15:27

Duplicates: U4-10089

''Warning up-front: This issue can cause serious headaches and I've had weeks of headaches when trying to understand PBKDF2 and implementing it.''

#######################################

I tried to start this issue by documenting what happens if you set the web.config value for "useLegacyEncoding" to true or false, but I really get stuck when looking to the code. I started with something like this

========== By default Umbraco is shipped with the web.config-value UseLegacyEncoding set to true. If set to true the password by default would be hashed with SHA1 (I guess, judging by the sourcecode, but not entirely sure)

If you set the property to false, ...

The reason I've started this issue is because I want by default love to see PBKDF2 implemented as algorithm. As written already in a blog by Troy Hunt in 2012 (https://www.troyhunt.com/our-password-hashing-has-no-clothes/) => 'your salted SHA hashes are near useless against the bulk of passwords users typically create'.

In a later article in 2012 he states you could better use PBKDF2 as an algorithm (https://www.troyhunt.com/stronger-password-hashing-in-net-with/). The problem only is that PBKDF2 is not supported in the .NET-framework (PBKDF1 is by the way). An option is to have a look at the site http://securitydriven.net/ (Security Driven .NET) where there's source code available to do PBKDF2.

Comments

Shannon Deminick 03 Jul 2017, 01:14:16

I've created a separate issue (sorry didn't see this one before) with additional info, so lets use that one and see where we get to U4-10089


Shannon Deminick 03 Jul 2017, 01:14:36

I've created a separate issue (sorry didn't see this one before) with additional info, so lets use that one and see where we get to U4-10089


Priority: Normal

Type: Feature (request)

State: Duplicate

Assignee:

Difficulty: Difficult

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version:

Sprint:

Story Points:

Cycle: