Hash和Salt Umbraco 默认的password存储方式
本文章转载自 http://blog.reneorban.com/2014/10/hash-and-salt-umbraco-passwords.html
By default right now (I'm testing on version 7.1.4) Umbraco one way hashes both Member and User passwords for you. However also by default it will not salt your passwords. Salting passwords is nearly as important as hashing in the first place. For example if "johny48@email.com" was to sign up for your website with the password "test" it would by default produce a entry in the database like this:
As you can see the password is hashed to the value "W477AMlLwwJQeAGlPZKiEILr8TA=". However there is no salt on this password, so if "kate39@example.com" came along and also registered using the password "test" we would get the same hash value:
This is not very good from a security point view. These values could very easily be rainbow tabled (just type "W477AMlLwwJQeAGlPZKiEILr8TA=" into google and you will most likely find the original value).
As you can see the password is hashed to the value "W477AMlLwwJQeAGlPZKiEILr8TA=". However there is no salt on this password, so if "kate39@example.com" came along and also registered using the password "test" we would get the same hash value:
This is not very good from a security point view. These values could very easily be rainbow tabled (just type "W477AMlLwwJQeAGlPZKiEILr8TA=" into google and you will most likely find the original value).
Enabling Password salting
Umbraco actually supports hashing and salting as standard and its very easy to enable. Within your Web.Config file you will find a node called "membership". Under this node you will find two providers named "UmbracoMembershipProvider" and "UsersMembershipProvider". By default these will have the attribute "passwordFormat" set to "Hashed" - brilliant! However there is a second option named "useLegacyEncoding" that by default it is set to "True". This is what causes the non salted passwords. To enable salting simply set "useLegacyEncoding" to "False". You can see what this will do by looking at their code on their GitHub.
After setting "useLegacyEncoding" to "False" I can update my members password to "test" again and we will be generated two completely different hash values.
The Catch
Now there is a catch to this. Because we have changed the way that passwords are validated and stored poor johny48 and kate39 will no longer be able to log into our site. They will have to update/change their passwords before their able to once again login.
So if you have a existing site with members and users this might cause you a few problems...However if your starting a site fresh this really is a must.
Additionally because there are two different membership providers you could enable salting for just members and not users or vice versa.
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 单元测试从入门到精通
· 上周热点回顾(3.3-3.9)
· winform 绘制太阳,地球,月球 运作规律