Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • xrisdoc 54 posts 102 karma points
    Aug 31, 2014 @ 14:40
    xrisdoc
    0

    Password Hashing

    Hello,

    I am currently implementing a new Umbraco 6.2.2 website and I am wanting to use the same members from an existing Umbraco 4.8 website. This isn't an upgrade, it is a completely new Umbraco 6.2.2 instance.

    I have managed to import the members from 4.8 version into the 6.2.2 version by SELECTing all members from cmsMember table and re-creating each of these members in the 6.2.2 version using the MemberService. So all of the memers are now in the 6.2.2 version.

    I also wanted to maintain each of the user's current passwords and brought the Password Hash over to the 6.2.2 version, updating the cmsMember table with the Password Hash value from the 4.8 version.

    However, it would seem that when I try to login as one of the members, using their current password, it doesn't seem to validate the login.

    My thought is that maybe the Password Hashing has changed at some point between 4.8 to 6.2.2? Does anyone know if this is the case?

    To test this, I have changed the password for the member within the back office, changing it to the same password as before and this does work when I try to login again. Also, I noticed that it now seems to have a different Password Hash value when I view this in the database.

    Will I be able to do this and is there a way I will be able to maintain the current passwords for my existing members? I would like to avoid having to reset all of my members passwords if I can.

    Thanks
    Chris

  • Dan Lister 416 posts 1974 karma points c-trib
    Sep 01, 2014 @ 09:09
    Dan Lister
    0

    Hi Chris,

    Just as a test, using the same password, try changing a member password in your 4.8 version and then change a member password in your 6.2.2 version, all through the back office. If the two hashed passwords in your database match, then it sounds like your member migration is quite working. If the two hashed passwords do not match, I don't think you will be to migrate from one to another as it would seem the hashing process has changed.

    Thanks, Dan.

  • xrisdoc 54 posts 102 karma points
    Sep 01, 2014 @ 12:21
    xrisdoc
    0

    Hi Dan,

    I tried the test you suggested and the password hashes for the same password on 4.8 and 6.2.2 do seem to be different.

    Also, I noticed that in 6.2.2, that if I change the password several times using the same password, it generates a different hash each time for the same password. However, 4.8 doesn't seem to do this, it generates the same hash each time for the same password.

    So, from what I can see, it does seem to be hashing the passwords quite differently between the versions. So, I guess I won't be able to migrate the passwords to the new version (6.2.2). 

    I was thinking, I could maybe implement a custom Membership Provider, inheriting this from UmbracoMembershipProvider and trying to override some of the methods to try an use the previous password hashing. This may be a backward step, but it may save me having to reset all of my member's passwords. 

    Thanks,
    Chris 

  • xrisdoc 54 posts 102 karma points
    Sep 01, 2014 @ 13:54
    xrisdoc
    1

    Hello,

    I have managed to find a very simple solution.

    In the Web.config on the UmbracoMembershipProvider, I just set the useLegacyEncoding value to true. I guess this forces the use of the previous way of hashing of the passwords.

    Thanks,
    Chris

     

Please Sign in or register to post replies

Write your reply to:

Draft