Is there any way to configure Umbraco to salt password hashes on a per user basis?
I'm prepared to write my own Membership provider to enable per-user salted passwords but don't want to if I'm missing a trick with the out of the box configuration.
No, unfortunately this is not supported out of the box, you would indeed have to implement your own membership provider, although it should just be a few changes to the default implementation, so do have a look at the source of Umbraco to get started. I am not sure how much of the XSLT extensions you would have to (or need to) change though.
It could also be a nice new feature for Umbraco, so it would be great if you could contribute it back to the source code!
Whilst I haven't looked at the source code, I would hope that any implementation would avoid any changes to existing XSLT extensions. In fact, as long as a PasswordSalt column were added to the cmsMember / umbracoUser table, everything else could be handled in the password encrypt/decrypt methods.
I'm happy to contribute to the Umbraco source with a per-user salted hash implementation. However, I am not a security or cryptography expert so would be coding against what I understand to be best practices. I haven't contributed to Umbraco before but would hope that any contributions are code reviewed and someone more knowledgable might cast their eyes on it :-)
Per-user salted passwords
Is there any way to configure Umbraco to salt password hashes on a per user basis?
I'm prepared to write my own Membership provider to enable per-user salted passwords but don't want to if I'm missing a trick with the out of the box configuration.
No, unfortunately this is not supported out of the box, you would indeed have to implement your own membership provider, although it should just be a few changes to the default implementation, so do have a look at the source of Umbraco to get started. I am not sure how much of the XSLT extensions you would have to (or need to) change though.
It could also be a nice new feature for Umbraco, so it would be great if you could contribute it back to the source code!
Whilst I haven't looked at the source code, I would hope that any implementation would avoid any changes to existing XSLT extensions. In fact, as long as a PasswordSalt column were added to the cmsMember / umbracoUser table, everything else could be handled in the password encrypt/decrypt methods.
I'm happy to contribute to the Umbraco source with a per-user salted hash implementation. However, I am not a security or cryptography expert so would be coding against what I understand to be best practices. I haven't contributed to Umbraco before but would hope that any contributions are code reviewed and someone more knowledgable might cast their eyes on it :-)
My knowledge about membership providers is pretty limited, so I'll believe everything that you're telling me.. ;-)
Of course patches are not accepted without a code review, especially if it's core functionality like this. :)
Also have a look at this wiki article if you go ahead with it: http://our.umbraco.org/wiki/how-tos/contributing-to-umbraco
is working on a reply...