I am struggling with getting a tweaked version of Umbraco to run on my production server...but that's not what this post is about :).
In the course of working through various problems, I noticed that the production server is storing user passwords as hashes, which I like, but the development server is storing user passwords in cleartext, which I don't like. I'm basing this on examining the underlying sql server tables on the two servers.
I don't recall doing anything during installation that would create this difference. However, I did specify a custom machinekey for the development server to work around an ASPNET error message. Might that have reset something?
In any event, how do I configure a server to store user passwords as hashes?
Thanks. FYI, it's the UsersMembershipProviders in v4. It wasn't set to hashed on the development server.
BTW, I presume if I set it to "hashed" on a running setup it'll destroy my ability to log in as admin, correct? Because it'll be expecting a hashed password rather than the cleartext one that's on file. Do you happen to know what hashing algorithm is used? If it's something accessible via .NET (e.g., MD5) I could whip up a little routine to hash the cleartext and then update the value stored in the database.
I actually did that, but the problem was the code simply calls into the MembershipProvider...and I didn't think to go from there to asking "gee, what attributes might exist for this line item in web.config"? :)
User Passwords in Clear Text
I am struggling with getting a tweaked version of Umbraco to run on my production server...but that's not what this post is about :).
In the course of working through various problems, I noticed that the production server is storing user passwords as hashes, which I like, but the development server is storing user passwords in cleartext, which I don't like. I'm basing this on examining the underlying sql server tables on the two servers.
I don't recall doing anything during installation that would create this difference. However, I did specify a custom machinekey for the development server to work around an ASPNET error message. Might that have reset something?
In any event, how do I configure a server to store user passwords as hashes?
- Mark
Check your web.config and make sure the umbracoMemberShipProvider has the passwordFormat set to hashed.
Thanks. FYI, it's the UsersMembershipProviders in v4. It wasn't set to hashed on the development server.
BTW, I presume if I set it to "hashed" on a running setup it'll destroy my ability to log in as admin, correct? Because it'll be expecting a hashed password rather than the cleartext one that's on file. Do you happen to know what hashing algorithm is used? If it's something accessible via .NET (e.g., MD5) I could whip up a little routine to hash the cleartext and then update the value stored in the database.
- Mark
I think it's MD5 Hashed, you could always just look into the source code on codeplex to find out exactly ;)
I actually did that, but the problem was the code simply calls into the MembershipProvider...and I didn't think to go from there to asking "gee, what attributes might exist for this line item in web.config"? :)
- Mark
is working on a reply...