How Kentico 10 hashes passwords

Ashutosh Pandey asked on August 15, 2021 05:43

How Kentico 10 is hasing password?

https://docs.xperience.io/k10/securing-websites/designing-secure-websites/securing-user-accounts-and-passwords/setting-the-user-password-format

I saw algorithm as PBKDF2.

I saw default salt to be UserGUID (don't know if it is used as uppercase or lowercase)

I also saw CMSHashString key in web.config

I tried generating password using following links and update password in database but it doesn't work

https://asecuritysite.com/encryption/PBKDF2y

https://neurotechnics.com/tools/pbkdf2-test

I used following settings:

Salt = UserGUID (tried uppercase, lowercase) OR UserGUID + CMSHashString OR CMSHashString

Iterations = 1000

Key Size = 32

What am I doing wrong?

Recent Answers

Dmitry Bastron answered on August 16, 2021 06:37

Hi Ashutosh,

The best way to write the updated password into the database would be using Kentico API, so it will be generating the hash correctly:

UserInfoProvider.SetPassword(userName, password);

If for whatever reason you'd need to customize the way how password hash is calculated, you can certainly do so, please check out the documentation.

1 votesVote for this answer Mark as a Correct answer

Ashutosh Pandey answered on August 16, 2021 12:38 (last edited on August 16, 2021 12:39)

Thanks @Dmitry, but can you please tell how SetPassword is working behind the scenes? How many iterations, what is the key size etc, what salt etc?

0 votesVote for this answer Mark as a Correct answer

Sean Wright answered on August 19, 2021 23:19

Ashutosh,

Kentico is a closed source product, so if you want that information I would recommend contacting support@kentico.com.

You can purchase a license for full source code access as well if needed.

2 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.