How is passwords hashed in Kentico?

Pierre Sanove asked on November 6, 2014 18:02

I need to move the users from a Kentico website to another website, when I move the users I also want to migrate the users passwords.

To be able to migrate the users passwords I need to know how Kentico hashes the passwords. This is the only documentation I can find: http://devnet.kentico.com/docs/7_0rc/devguide/index.html?password_format.htm

But I need more information, what steps should I do to do the same hashing? Where can I find more information?

The documentation I found gives me these facts: - SHA2 is used. But SHA2 is a set of cryptographic hash functions. Which hash function is used? SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 or SHA-512/256? - The users UserGuid is used as salt and is appended to the plain text password. But how is it appended? In the beginning? In the end? In the middle?

The best of course should be if I had the source code for this. Maybe I need to reverse engineering and reflect the code?

Correct Answer

Juraj Komlosi answered on November 6, 2014 22:34

Hi Pierre,

I'll try to bring more light into that. If you are using SHA2SALT password hashing, then the password hash is computed using this method:

SecurityHelper.GetSHA2Hash(password + salt + PassordSalt);

where:

  1. password is the user password,
  2. salt is a dynamic salt value, by default it is the UserGUID - unique value for each user,
  3. PasswordSalt is static salt value, you can specify it by adding the "CMSPasswordSalt" key into your web.config.

As you can see the password hash is by default calculated from the value: password + userGUID, additionaly you can specify "CMSPasswordSalt" value, so the password will be calculated as password + userGUID + CMSPasswordSalt.

Regarding the SHA2 algorithm we use SHA256Managed algorithm to compute password hashes.

You can find more information about password hashing in our documentation - Password encryption in database chapter.

Hope it will help you.

2 votesVote for this answer Unmark Correct answer

Recent Answers

Will Earp answered on August 13, 2015 14:18

Note that the UserGUID field is also lowercased.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.