How are PBKDF2 passwords hashed?

Marlon Basten asked on August 11, 2021 17:09

I need to migrate users from my Kentico instance to another database and system and therefore need to know how passwords are hashed by default.

No salt is configured in the config and all the other settings are set to default. The password hashing algorithm I use for passwords in my Kentico instance is PBKDF2.

The documentation doesn't give a lot of info about what's happening behind the scenes when a password is being hashed.

What I tried so far: Provided the Plain password and used the UserGUID as hash. Used 10000 iterations and set the key length to 32. I also tried other key lengths, but they also didn't work. Then I put the hashed password and salt and encoded it with base64. But it doesnt work and I don't get the right hash for the password in the Kentico database.

Can someone please further explain how I could replicate the hashing process?

Thanks in advance!

Recent Answers

Sean Wright answered on August 12, 2021 00:36

You can use the Kentico.Xperience.Libraries NuGet package in your external application, and then call CMS.Helpers.SecurityHelper.GetPBKDF2Hash, passing the password, which will return the hashed password.

The default iteration count is 10000. The salt is generated from the password itself running through public Rfc2898DeriveBytes(string password, int saltSize, int iterations); in the System.Security.Cryptography namespace.

0 votesVote for this answer Mark as a Correct answer

Marlon Basten answered on August 12, 2021 00:50 (last edited on August 12, 2021 01:06)

Thanks for the answer! What is the default value of salt size? Is it the length of the password? And what algorithm does GetPBKDF2Hash use?

0 votesVote for this answer Mark as a Correct answer

Sean Wright answered on August 14, 2021 19:15

Marlon,

I would recommend contacting Kentico support (support@kentico.com) about that question, since the platform is closed source.

Again, using the Kentico SDK APIs in your external application would alleviate you from having to know how they function internally.

0 votesVote for this answer Mark as a Correct answer

Marlon Basten answered on August 16, 2021 10:34

Thank you! But unfortunately, I must replicate the algorithm in PHP, so there is no way for me to use the Kentico SDK.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.