Encrypted passwords in asp.net SQLMembershipProvider and Umbraco membership provider

0
votes

Security Noob here.

I am trying to move from asp.net membership to Umbraco membership. But using passwordFormat="Encrypted" seems to encrypt differently between the Umbraco membership provider and Microsoft's SQL membership provider.

If I register two users with the SQL membership provider (with passwordFormat="Encrypted") - the encoded passwords are different. If I do the same with the Umbraco provider they're the same.

While all the strings decrypt to the same thing (the correct password) - I apparently can't use the passwords encrypted by the SQL membership provider in the umbraco DB (ValidateUser fails).

Anyone have any ideas?

Note: I'm using the same machineKey on both sites.

Edit: Calling EncryptPassword() and EncodePassword() on the Umbraco membership provider gives different results - and EncodePassword is the correct one to call. But EncodePassword isn't available on the .NET Membership provider. This was another part of my confusion.

2
asp.netencryptionumbracosqlmembershipprovider
The passwords may be different because they are salted. Check out the PasswordSalt column in the membership database, it should be a Base64 string. - Infotekka
@Infotekka after lots of thought I'm pretty sure that's it - because .NET has salts and Umbraco doesn't. I didn't realise encryption (not hashing) can use a salt (mainly because I didn't know how it could get back to the original plaintext without knowing the salt). And now doing a proper test - if I change the salt it will NOT let me log in. So that's it! - Ian Grainger
@Infotekka now I've checked, do you want to make this a real answer and I'll mark it correct - thanks for the clarity! - Ian Grainger
Right on, I copied my comment into an answer below - glad to help! - Infotekka

2 Answers

1
votes

The passwords may be different because they are salted. Check out the PasswordSalt column in the membership database, it should be a Base64 string.

0
votes

The Umbraco passwords are hashed using the System.Security.Cryptography.HMACSHA1 class. I'm guessing you could hash the SQL membership users passwords with HMACSHA1 and call it good.

See Add User with hashed password for more details.