More in this section

Forums / General Discussions / Password encryption algorithm

Password encryption algorithm

4 posts, 0 answered
  1. Paolo
    Paolo avatar
    147 posts
    Registered:
    11 Jun 2009
    16 Feb 2011
    Link to this post
    Hello,
    I was looking at how Sitefinity 4.0's sf_user is made and I've seen that it's composed of

    ,<passwd, varchar(128),>
             ,<password_answer, varchar(128),>
             ,<password_format, int,>
             ,<password_question, varchar(255),>
             ,<salt, varchar(128),>

    if password_format is set to 1 I presume sitefinity threats the password as encrypted and if 0 not, what algorithm is used? Sha1?

    Thanks in advance

    Paolo
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    12 Sep 2017
    16 Feb 2011
    Link to this post
    Hello Paolo,

    We use TripleDES to encrypt the password and add password salt that is string of the user object. There is a method of the MemberishpDataProvider that encrypts the data and there we pass the salt as a parameter.

    All the best,
    Ivan Dimitrov
    the Telerik team
  3. Paolo
    Paolo avatar
    147 posts
    Registered:
    11 Jun 2009
    17 Feb 2011
    Link to this post
    Hello Ivan,
    I'm asking this since I need to integrate sitefinity with our existing product and need to import the users we have to sitefinity, we wish to have it done via SQL, for now we've been able to store them with password_format 0 .... are you sure it's 3DES and not HMACSHA, using reflector seems to call that crypto api
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    12 Sep 2017
    17 Feb 2011
    Link to this post
    Hello Paolo,

    We use TripleDes. My suggestion is using the API for adding the users instead of making database table replication. We add salt to the password which might change the values you entered. Working with the API is the cleanest way here. You can take a look at this article.

    All the best,
    Ivan Dimitrov
    the Telerik team
4 posts, 0 answered