Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mark Olbert 87 posts 117 karma points
    Oct 29, 2009 @ 20:59
    Mark Olbert
    0

    User Passwords in Clear Text

    I am struggling with getting a tweaked version of Umbraco to run on my production server...but that's not what this post is about :).

    In the course of working through various problems, I noticed that the production server is storing user passwords as hashes, which I like, but the development server is storing user passwords in cleartext, which I don't like. I'm basing this on examining the underlying sql server tables on the two servers.

    I don't recall doing anything during installation that would create this difference. However, I did specify a custom machinekey for the development server to work around an ASPNET error message. Might that have reset something?

    In any event, how do I configure a server to store user passwords as hashes?

    - Mark

  • skiltz 501 posts 701 karma points
    Oct 29, 2009 @ 21:22
    skiltz
    0

    Check your web.config and make sure the umbracoMemberShipProvider has the passwordFormat set to hashed.

     

    <add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Another Type" passwordFormat="Hashed" />
  • Mark Olbert 87 posts 117 karma points
    Oct 29, 2009 @ 22:24
    Mark Olbert
    0

    Thanks. FYI, it's the UsersMembershipProviders in v4. It wasn't set to hashed on the development server.

    BTW, I presume if I set it to "hashed" on a running setup it'll destroy my ability to log in as admin, correct? Because it'll be expecting a hashed password rather than the cleartext one that's on file. Do you happen to know what hashing algorithm is used? If it's something accessible via .NET (e.g., MD5) I could whip up a little routine to hash the cleartext and then update the value stored in the database.

    - Mark

  • Aaron Powell 1708 posts 3046 karma points c-trib
    Oct 29, 2009 @ 22:58
    Aaron Powell
    0

    I think it's MD5 Hashed, you could always just look into the source code on codeplex to find out exactly ;)

  • Mark Olbert 87 posts 117 karma points
    Oct 29, 2009 @ 23:19
    Mark Olbert
    0

    I actually did that, but the problem was the code simply calls into the MembershipProvider...and I didn't think to go from there to asking "gee, what attributes might exist for this line item in web.config"? :)

    - Mark

Please Sign in or register to post replies

Write your reply to:

Draft