Password encryption algorithm

Posted by Community Admin on 03-Aug-2018 16:13

Password encryption algorithm

Sitefinity - General Discussions

All Replies

Posted by Community Admin on 16-Feb-2011 00:00

Hello,
I was looking at how Sitefinity 4.0's sf_user is made and I've seen that it's composed of

,<passwd, varchar(128),>
         ,<password_answer, varchar(128),>
         ,<password_format, int,>
         ,<password_question, varchar(255),>
         ,<salt, varchar(128),>

if password_format is set to 1 I presume sitefinity threats the password as encrypted and if 0 not, what algorithm is used? Sha1?

Thanks in advance

Paolo

Posted by Community Admin on 16-Feb-2011 00:00

Hello Paolo,

We use TripleDES to encrypt the password and add password salt that is string of the user object. There is a method of the MemberishpDataProvider that encrypts the data and there we pass the salt as a parameter.

All the best,
Ivan Dimitrov
the Telerik team

Vote for the 7 Telerik products at the 2011 Great Indian Developer Awards!

Posted by Community Admin on 17-Feb-2011 00:00

Hello Ivan,
I'm asking this since I need to integrate sitefinity with our existing product and need to import the users we have to sitefinity, we wish to have it done via SQL, for now we've been able to store them with password_format 0 .... are you sure it's 3DES and not HMACSHA, using reflector seems to call that crypto api

Posted by Community Admin on 17-Feb-2011 00:00

Hello Paolo,

We use TripleDes. My suggestion is using the API for adding the users instead of making database table replication. We add salt to the password which might change the values you entered. Working with the API is the cleanest way here. You can take a look at this article.

All the best,
Ivan Dimitrov
the Telerik team

Vote for the 7 Telerik products at the 2011 Great Indian Developer Awards!

This thread is closed