本文章转载自 http://blog.reneorban.com/2014/10/hash-and-salt-umbraco-passwords.html

By default right now (I'm testing on version 7.1.4) Umbraco one way hashes both Member and User passwords for you.  However also by default it will not salt your passwords.  Salting passwords is nearly as important as hashing in the first place.  For example if "johny48@email.com" was to sign up for your website with the password "test" it would by default produce a entry in the database like this:

As you can see the password is hashed to the value "W477AMlLwwJQeAGlPZKiEILr8TA=".  However there is no salt on this password, so if "kate39@example.com" came along and also registered using the password "test" we would get the same hash value:

This is not very good from a security point view.  These values could very easily be rainbow tabled (just type "W477AMlLwwJQeAGlPZKiEILr8TA=" into google and you will most likely find the original value).

Enabling Password salting

Umbraco actually supports hashing and salting as standard and its very easy to enable.  Within your Web.Config file you will find a node called "membership".  Under this node you will find two providers named "UmbracoMembershipProvider" and "UsersMembershipProvider".  By default these will have the attribute "passwordFormat" set to "Hashed" - brilliant!  However there is a second option named "useLegacyEncoding" that by default it is set to "True".  This is what causes the non salted passwords. To enable salting simply set "useLegacyEncoding" to "False". You can see what this will do by looking at their code on their GitHub
 
After setting "useLegacyEncoding" to "False" I can update my members password to "test" again and we will be generated two completely different hash values.
 
 

The Catch

Now there is a catch to this.  Because we have changed the way that passwords are validated and stored poor johny48 and kate39 will no longer be able to log into our site.  They will have to update/change their passwords before their able to once again login.  
 
So if you have a existing site with members and users this might cause you a few problems...However if your starting a site fresh this really is a must.
 
Additionally because there are two different membership providers you could enable salting for just members and not users or vice versa.

最新文章

  1. 熊乐:H3 BPM为加速企业流程管理提供源动力
  2. hibernate一对一外键双向关联
  3. Lr中关于字符串的截取
  4. 查看sbt版本
  5. [LINK]php的三种CLI常量:STDIN,STDOUT,STDERR
  6. linux 操作mysql
  7. 用Application和Session统计在线人数[转]
  8. [转]UOS 中的虚拟网络设备
  9. [百度空间] --whole-archive & --no-whole-archive
  10. linux下使用vim替换文件中的^M换行符
  11. CentOS 6.4 64位 安装 apache-tomcat-6.0.43
  12. JQuery简单实现图片轮播效果
  13. pythond对象、异常、反射的学习笔记
  14. Log4j MDC Tomcat下报异常org.apache.log4j.helpers.ThreadLocalMap
  15. Proving Equivalences(加多少边使其强联通)
  16. JavaEE XML DOM创建
  17. Linux 挂载aliyun数据盘
  18. enote笔记语言(2)(ver0.3)
  19. (二)plist的使用和序列帧动画
  20. cocos2d JS 自定义事件分发器(接收与传递数据) eventManager

热门文章

  1. 【BZOJ3671】[Noi2014]随机数生成器 暴力
  2. opencv常用类总结
  3. 子串的索引 str.index(sub) sub必须存在
  4. 使用Retrofit发送POST请求提交JSON数据
  5. mysql 创建用户与授权
  6. 5.2 《锋利的jQuery》jQuery对表格的操作(选项卡/换肤)
  7. Springboot2.0入门介绍
  8. Apache CGI 配置
  9. npm使用淘宝镜像安装包
  10. css3-rotate实现超炫环形旋转特效