The reason I ask this question is because I am using FoxyCart as a Shopping Cart mechanism. I am using SHA-256 salted (suffix). When the user is created in FoxyCart, I basically just want to insert the hashed password into Umbraco because it will be hashed already. How can I change Umbraco to use SHA-256 salted suffix and if I want to just update the password, is it best to create the user with a temporary password and then insert the hashed password into the user table?
I set useLegacyEncoding to false. Does it use HMACSHA256 by default if I do that?
I am trying to integrate with Foxy Cart? They offer a wide variety of hashing algorithms. I tried using their SHA256 with a 48 bit salt suffixed and I tried setting the algorithm type in web.config to SHA256, but I had no luck when I copied Foxy Carts generated hash into Umbraco's password field.
no it doesn't default to HMACSHA256, but you can specify it I guess.
The password in Umbraco is stored as "salt + password" so it will probably never work in the way you intended it. You will probably have to write your own membershipprovider.
Do you know what it defaults to when you set useLegacyEncoding = false.
I tried setting it to something like PBKDF2 and it doesn't complain when I create the member, but when I call ValidateUser on the Member, it returns false?
Umbraco does not support PBKDF2 currently out of the box, but I'm preparing an issue and Pull Request to implement this. I'm currently in the stage of finding out the exact details of PBKDF2 (because the default Microsoft implementation works only with HMACSHA1, and doesn't support HMACSHA256 or HMACSHA521).
I found a nuget package that allows you to add PBKDF2 as an option for the algorithm type in web.config, but you need to put it in the Global.asax's Application_Start. I couldn't see this in Umbraco, as far as the Global.asax.cs, where would I put this code?
What hashing algorithm does umbraco use when creating users?
The reason I ask this question is because I am using FoxyCart as a Shopping Cart mechanism. I am using SHA-256 salted (suffix). When the user is created in FoxyCart, I basically just want to insert the hashed password into Umbraco because it will be hashed already. How can I change Umbraco to use SHA-256 salted suffix and if I want to just update the password, is it best to create the user with a temporary password and then insert the hashed password into the user table?
Hi Saied,
it depends on your settings in the web.config. Look for the Membership-section in your web.config.
It looks something like this:
Default "useLegacyEncoding" is set to true, and the hashing algorithm defaults to HMACSHA1.
Hope this helps,
Jeffrey
Hi Jeffrey,
I set
useLegacyEncodingto false. Does it use HMACSHA256 by default if I do that?I am trying to integrate with Foxy Cart? They offer a wide variety of hashing algorithms. I tried using their SHA256 with a 48 bit salt suffixed and I tried setting the algorithm type in web.config to SHA256, but I had no luck when I copied Foxy Carts generated hash into Umbraco's password field.
Hi Saied,
no it doesn't default to HMACSHA256, but you can specify it I guess.
The password in Umbraco is stored as "salt + password" so it will probably never work in the way you intended it. You will probably have to write your own membershipprovider.
Hi Jeffrey,
Do you know what it defaults to when you set
useLegacyEncoding = false.I tried setting it to something like PBKDF2 and it doesn't complain when I create the member, but when I call ValidateUser on the Member, it returns false?
Thanks, Saied
Hi Saied,
Umbraco does not support PBKDF2 currently out of the box, but I'm preparing an issue and Pull Request to implement this. I'm currently in the stage of finding out the exact details of PBKDF2 (because the default Microsoft implementation works only with HMACSHA1, and doesn't support HMACSHA256 or HMACSHA521).
The best way to find out how the default membership provider works is looking at https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Core/Security/MembershipProviderBase.cs. I think it defaults to the Microsoft default, which probably is HMACSHA1 (without PBKDF2).
Hope this helps a bit.
Jeffrey
Hi Jeffrey,
I found a nuget package that allows you to add PBKDF2 as an option for the algorithm type in web.config, but you need to put it in the Global.asax's Application_Start. I couldn't see this in Umbraco, as far as the Global.asax.cs, where would I put this code?
Thanks for the pull request.
Hi Saied,
you can simply add an Global.asax to your project (if it isn't there).
Which nuget package are you using?
Cheers!
Hi Jeffrey,
I am using the following package:
https://www.nuget.org/packages/Zetetic.Security
and I followed the directions on this post:
https://www.zetetic.net/blog/2012/7/3/secure-password-hashing-for-aspnet-in-one-line.html
I do have a global.asax file, but I did not see a global.asax.cs. I did see a mystartup.cs and I put the functionality there and it seemed to work.
is working on a reply...