More in this section

Forums / General Discussions / Password formats

Password formats

6 posts, 0 answered
  1. Eric
    Eric avatar
    60 posts
    Registered:
    24 Feb 2011
    06 Jan 2012
    Link to this post
    I found this old thread:
    http://www.sitefinity.com/devnet/forums/sitefinity-3-x/security/passwordformat-question.aspx 

    and I'm wondering what the options are for password formats in Sitefinity 4 (4.4). Are they Hashed, Clear, Encrypted? Or are there more/different ones? We would like to be able to get the passwords to tie into other systems. Also, what will happen to existing passwords (admin password) if we change them to Clear in Advanced settings -> Security -> Membership Providers ->  ..... here I need Default, yes? Please confirm. We haven't gone live yet, so we have some time. Thank you!

    Eric
  2. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    18 Sep 2017
    11 Jan 2012
    Link to this post
    Hi Eric,

    Thank you for contacting us.

    The passwords in Sitefinity 4 area hashed and salt is added by default. If you configure the provider to Clear which is to save the passwords in clear text.
    Changing it in Advanced settings -> Security -> Membership Providers -> passwordFormt(to Clear) will not revert alrady hashed passwords. They will remain hashed and the new passwords will be in clear text.
    There is bug when chaning the provider to save passwords in claer text it also adds the hassed value of the password after the clear text password. Yes the values are Hashed (Passwords are encrypted one-way using the SHA1 hashing algorithm.), Clear and Encrypted(Passwords are encrypted using the encryption settings determined by
    /// the machineKey Element (ASP.NET Settings Schema) element configuration).
     
    Greetings,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Eric
    Eric avatar
    60 posts
    Registered:
    24 Feb 2011
    11 Jan 2012
    Link to this post
    What does the bug affect when passwords are stored Clear? I can see what they look like in the sf_users database table, with the hash added to the Clear text, but if I add, update, or delete users programatically, will anything be affected? When will the bug be fixed?
  4. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    18 Sep 2017
    16 Jan 2012
    Link to this post
    Hi Eric,

    As the discussion progressed the bug got fixed. It will be available in Sitefinity 5.0 release in the middle of february.
    An internal build will be released that will contain the fix. The next internal build will be released by the end of this month. It is usually available to download on friday. Also it will be announced in this forum. Note internal builds are for testing purposes only so projects should not be upgraded to internal builds because there may be complications with upgrading to official releases. The upgrade scripts might get changed in the official release.

    What does the bug affect when passwords are stored Clear?
    A hashed version of the password is added to the one in clear text. It has no effect on the ability to work with the user. Deleting or updating the password will not produce a fix because there is a bug with Sitefinity membership provider.

    Regards,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  5. Eric
    Eric avatar
    60 posts
    Registered:
    24 Feb 2011
    18 Jan 2012
    Link to this post
    So it's ok for me to create and import all my users now with a CLEAR password? Is the bug only visual in the database but not a big deal behind the scenes? Will the 5.0 upgrade continue to work with any current users I create?
  6. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    18 Sep 2017
    21 Jan 2012
    Link to this post
    Hi,

     So it's ok for me to create and import all my users now with a CLEAR password?

    The password now will be created with the bugged password field. After the release of 5.0 where the fix is added, all new users will have their passwords properly saved. The already created user will have their password fields reman the same. To fix their password fields an update of the password will be needed, change password or edit the column by hand and delete the hash version in SQL management studio.

    Is the bug only visual in the database but not a big deal behind the scenes?

    Yes there is no problem concerning the user`s abiliti to login and use the CMS.

    Will the 5.0 upgrade continue to work with any current users I create?

    The current users will be working

    Kind regards,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
6 posts, 0 answered