Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • James Costerton 24 posts 72 karma points
    Apr 28, 2011 @ 01:11
    James Costerton
    0

    Per-user salted passwords

    Is there any way to configure Umbraco to salt password hashes on a per user basis?

    I'm prepared to write my own Membership provider to enable per-user salted passwords but don't want to if I'm missing a trick with the out of the box configuration.

  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Apr 28, 2011 @ 07:08
    Sebastiaan Janssen
    0

    No, unfortunately this is not supported out of the box, you would indeed have to implement your own membership provider, although it should just be a few changes to the default implementation, so do have a look at the source of Umbraco to get started. I am not sure how much of the XSLT extensions you would have to (or need to) change though.

    It could also be a nice new feature for Umbraco, so it would be great if you could contribute it back to the source code!

  • James Costerton 24 posts 72 karma points
    Apr 28, 2011 @ 11:34
    James Costerton
    0

    Whilst I haven't looked at the source code, I would hope that any implementation would avoid any changes to existing XSLT extensions. In fact, as long as a PasswordSalt column were added to the cmsMember / umbracoUser table, everything else could be handled in the password encrypt/decrypt methods.

    I'm happy to contribute to the Umbraco source with a per-user salted hash implementation. However, I am not a security or cryptography expert so would be coding against what I understand to be best practices. I haven't contributed to Umbraco before but would hope that any contributions are code reviewed and someone more knowledgable might cast their eyes on it :-)

  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Apr 28, 2011 @ 11:55
    Sebastiaan Janssen
    0

    My knowledge about membership providers is pretty limited, so I'll believe everything that you're telling me.. ;-)

    Of course patches are not accepted without a code review, especially if it's core functionality like this. :)

    Also have a look at this wiki article if you go ahead with it: http://our.umbraco.org/wiki/how-tos/contributing-to-umbraco

Please Sign in or register to post replies

Write your reply to:

Draft