I've got a few Umbraco sites with both members and users that have useLegacyEncoding=true and thus they're using older, unsalted password hashes.

After digging around a bit I see there's been some chatter on the topic for the past year or so, and some hope to see this get merged into 7.6.x or 7.7.x releases:

• http://issues.umbraco.org/issue/U4-8643
• http://issues.umbraco.org/issue/U4-10089
• https://our.umbraco.org/forum/using-umbraco-and-getting-started/85711-transition-from-legacyencoding-for-passwords
• https://our.umbraco.org/forum/using-umbraco-and-getting-started/88852-changing-uselegacyencoding-from-true-to-false
• https://umbraco.com/products/umbraco-cms/security/

The solutions outlined appear to:

If anyone has legacy values set, then the password hashing and management will use the old membership provider way. These legacy values are: AllowManuallyChangingPassword and DefaultUseLegacyEncoding, if either of these are set then the new IUserAwarePasswordHasher will not be used

This would be ideal for us, so as passwords get changed over time they get moved to a more secure storage method, meanwhile older passwords are still functional. (At least that's my understanding of it)

• Sub-question on that: Are the password hashes with useLegacyEncoding=true stored as unsalted hashes?

Does anyone know if this is live or functional? If it is, does anyone have notes for how to start the switch from useLegacyEncoding=true to useLegacyEncoding=false? (and thus be able to take advantage of salted, HMAC-SHA256 passwords)

Best, Chris