Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Chris Van Oort 110 posts 370 karma points
    Mar 21, 2018 @ 20:21
    Chris Van Oort

    Proper password hash migration from useLegacyEncoding=true to useLegacyEncoding=false?

    I've got a few Umbraco sites with both members and users that have useLegacyEncoding=true and thus they're using older, unsalted password hashes.

    After digging around a bit I see there's been some chatter on the topic for the past year or so, and some hope to see this get merged into 7.6.x or 7.7.x releases:

    The solutions outlined appear to:

    If anyone has legacy values set, then the password hashing and management will use the old membership provider way. These legacy values are: AllowManuallyChangingPassword and DefaultUseLegacyEncoding, if either of these are set then the new IUserAwarePasswordHasher will not be used

    This would be ideal for us, so as passwords get changed over time they get moved to a more secure storage method, meanwhile older passwords are still functional. (At least that's my understanding of it)

    • Sub-question on that: Are the password hashes with useLegacyEncoding=true stored as unsalted hashes?

    Does anyone know if this is live or functional? If it is, does anyone have notes for how to start the switch from useLegacyEncoding=true to useLegacyEncoding=false? (and thus be able to take advantage of salted, HMAC-SHA256 passwords)

    Best, Chris

  • Jeremy 23 posts 72 karma points
    May 25, 2018 @ 18:01

    Hi Chris,

    I was interested in knowing if you found a solution for migrating users to from legacy hashing to the new salted version.

    Surprised Umbraco hasn't addressed this issue and released some type of migration functionality.

    Thanks for any insight,


  • Chris Van Oort 110 posts 370 karma points
    May 25, 2018 @ 18:12
    Chris Van Oort

    Hi Jeremy,

    Nope -- I haven't seen or heard anything back. We're still searching for a solution here. I like the idea of a hybrid, rolling switchover. This would let us proactively email users to change their passwords within the next 6 months (for example).

    Hopefully someone @ HQ sees this and can lend their insight.

Please Sign in or register to post replies

Write your reply to: