Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Saied 349 posts 674 karma points
    Sep 25, 2015 @ 13:51
    Saied
    0

    What hashing algorithm does umbraco use when creating users?

    The reason I ask this question is because I am using FoxyCart as a Shopping Cart mechanism. I am using SHA-256 salted (suffix). When the user is created in FoxyCart, I basically just want to insert the hashed password into Umbraco because it will be hashed already. How can I change Umbraco to use SHA-256 salted suffix and if I want to just update the password, is it best to create the user with a temporary password and then insert the hashed password into the user table?

    Copy Link
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Sep 28, 2015 @ 11:39
    Jeffrey Schoemaker
    0

    Hi Saied,

    it depends on your settings in the web.config. Look for the Membership-section in your web.config.

    It looks something like this:

    <membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
      <providers>
        <clear />
        <add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="4" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" />
        <add name="UsersMembershipProvider" type="Umbraco.Web.Security.Providers.UsersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="4" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" passwordFormat="Hashed" />
      </providers>
    </membership>

    Default "useLegacyEncoding" is set to true, and the hashing algorithm defaults to HMACSHA1.

    Hope this helps,

    Jeffrey

    Copy Link
  • Saied 349 posts 674 karma points
    Sep 29, 2015 @ 06:03
    Saied
    0

    Hi Jeffrey,

    I set useLegacyEncoding to false. Does it use HMACSHA256 by default if I do that?

    I am trying to integrate with Foxy Cart? They offer a wide variety of hashing algorithms. I tried using their SHA256 with a 48 bit salt suffixed and I tried setting the algorithm type in web.config to SHA256, but I had no luck when I copied Foxy Carts generated hash into Umbraco's password field.

    Copy Link
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Sep 29, 2015 @ 11:47
    Jeffrey Schoemaker
    0

    Hi Saied,

    no it doesn't default to HMACSHA256, but you can specify it I guess.

    The password in Umbraco is stored as "salt + password" so it will probably never work in the way you intended it. You will probably have to write your own membershipprovider.

    Copy Link
  • Saied 349 posts 674 karma points
    Sep 29, 2015 @ 12:09
    Saied
    0

    Hi Jeffrey,

    Do you know what it defaults to when you set useLegacyEncoding = false.

    I tried setting it to something like PBKDF2 and it doesn't complain when I create the member, but when I call ValidateUser on the Member, it returns false?

    Thanks, Saied

    Copy Link
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Sep 30, 2015 @ 07:13
    Jeffrey Schoemaker
    0

    Hi Saied,

    Umbraco does not support PBKDF2 currently out of the box, but I'm preparing an issue and Pull Request to implement this. I'm currently in the stage of finding out the exact details of PBKDF2 (because the default Microsoft implementation works only with HMACSHA1, and doesn't support HMACSHA256 or HMACSHA521).

    The best way to find out how the default membership provider works is looking at https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Core/Security/MembershipProviderBase.cs. I think it defaults to the Microsoft default, which probably is HMACSHA1 (without PBKDF2).

    Hope this helps a bit.

    Jeffrey

    Copy Link
  • Saied 349 posts 674 karma points
    Sep 30, 2015 @ 13:53
    Saied
    0

    Hi Jeffrey,

    I found a nuget package that allows you to add PBKDF2 as an option for the algorithm type in web.config, but you need to put it in the Global.asax's Application_Start. I couldn't see this in Umbraco, as far as the Global.asax.cs, where would I put this code?

    Thanks for the pull request.

    Copy Link
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Oct 01, 2015 @ 09:37
    Jeffrey Schoemaker
    0

    Hi Saied,

    you can simply add an Global.asax to your project (if it isn't there).

    Which nuget package are you using?

    Cheers!

    Copy Link
  • Saied 349 posts 674 karma points
    Oct 01, 2015 @ 13:24
    Saied
    0

    Hi Jeffrey,

    I am using the following package:

    https://www.nuget.org/packages/Zetetic.Security

    and I followed the directions on this post:

    https://www.zetetic.net/blog/2012/7/3/secure-password-hashing-for-aspnet-in-one-line.html

    I do have a global.asax file, but I did not see a global.asax.cs. I did see a mystartup.cs and I put the functionality there and it seemed to work.

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft