Password formats
I found this old thread:
http://www.sitefinity.com/devnet/forums/sitefinity-3-x/security/passwordformat-question.aspx
and I'm wondering what the options are for password formats in Sitefinity 4 (4.4). Are they Hashed, Clear, Encrypted? Or are there more/different ones? We would like to be able to get the passwords to tie into other systems. Also, what will happen to existing passwords (admin password) if we change them to Clear in Advanced settings -> Security -> Membership Providers -> ..... here I need Default, yes? Please confirm. We haven't gone live yet, so we have some time. Thank you!
Eric
Hi Eric,
Thank you for contacting us.
The passwords in Sitefinity 4 area hashed and salt is added by default. If you configure the provider to Clear which is to save the passwords in clear text.
Changing it in Advanced settings -> Security -> Membership Providers -> passwordFormt(to Clear) will not revert alrady hashed passwords. They will remain hashed and the new passwords will be in clear text.
There is bug when chaning the provider to save passwords in claer text it also adds the hassed value of the password after the clear text password. Yes the values are Hashed (Passwords are encrypted one-way using the SHA1 hashing algorithm.), Clear and Encrypted(Passwords are encrypted using the encryption settings determined by
/// the machineKey Element (ASP.NET Settings Schema) element configuration).
Greetings,
Stanislav Velikov
the Telerik team
What does the bug affect when passwords are stored Clear? I can see what they look like in the sf_users database table, with the hash added to the Clear text, but if I add, update, or delete users programatically, will anything be affected? When will the bug be fixed?
Hi Eric,
As the discussion progressed the bug got fixed. It will be available in Sitefinity 5.0 release in the middle of february.
An internal build will be released that will contain the fix. The next internal build will be released by the end of this month. It is usually available to download on friday. Also it will be announced in this forum. Note internal builds are for testing purposes only so projects should not be upgraded to internal builds because there may be complications with upgrading to official releases. The upgrade scripts might get changed in the official release.
What does the bug affect when passwords are stored Clear?
A hashed version of the password is added to the one in clear text. It has no effect on the ability to work with the user. Deleting or updating the password will not produce a fix because there is a bug with Sitefinity membership provider.
Regards,
Stanislav Velikov
the Telerik team
So it's ok for me to create and import all my users now with a CLEAR password? Is the bug only visual in the database but not a big deal behind the scenes? Will the 5.0 upgrade continue to work with any current users I create?
Hi,
So it's ok for me to create and import all my users now with a CLEAR password?
The password now will be created with the bugged password field. After the release of 5.0 where the fix is added, all new users will have their passwords properly saved. The already created user will have their password fields reman the same. To fix their password fields an update of the password will be needed, change password or edit the column by hand and delete the hash version in SQL management studio.
Is the bug only visual in the database but not a big deal behind the scenes?
Yes there is no problem concerning the user`s abiliti to login and use the CMS.
Will the 5.0 upgrade continue to work with any current users I create?
The current users will be working