Encrypted passwords in asp.net SQLMembershipProvider and Umbraco membership provider

Question

Security Noob here.

I am trying to move from asp.net membership to Umbraco membership. But using passwordFormat="Encrypted" seems to encrypt differently between the Umbraco membership provider and Microsoft's SQL membership provider.

If I register two users with the SQL membership provider (with passwordFormat="Encrypted") - the encoded passwords are different. If I do the same with the Umbraco provider they're the same.

While all the strings decrypt to the same thing (the correct password) - I apparently can't use the passwords encrypted by the SQL membership provider in the umbraco DB (ValidateUser fails).

Anyone have any ideas?

Note: I'm using the same machineKey on both sites.

Edit: Calling EncryptPassword() and EncodePassword() on the Umbraco membership provider gives different results - and EncodePassword is the correct one to call. But EncodePassword isn't available on the .NET Membership provider. This was another part of my confusion.

The passwords may be different because they are salted. Check out the PasswordSalt column in the membership database, it should be a Base64 string. — Infotekka, Feb 06 '13 at 22:38
@Infotekka after lots of thought I'm pretty sure that's it - because .NET has salts and Umbraco doesn't. I didn't realise encryption (not hashing) can use a salt (mainly because I didn't know how it could get back to the original plaintext without knowing the salt). And now doing a proper test - if I change the salt it will NOT let me log in. So that's it! — Ian Grainger, Feb 07 '13 at 09:22
@Infotekka now I've checked, do you want to make this a real answer and I'll mark it correct - thanks for the clarity! — Ian Grainger, Feb 07 '13 at 09:32
Right on, I copied my comment into an answer below - glad to help! — Infotekka, Feb 12 '13 at 18:22

score 1 · Accepted Answer · answered Feb 12 '13 at 18:21

1

The passwords may be different because they are salted. Check out the PasswordSalt column in the membership database, it should be a Base64 string.

answered Feb 12 '13 at 18:21

Infotekka

10,307
2
20
17

score 0 · Answer 2 · answered Feb 06 '13 at 16:02

0

The Umbraco passwords are hashed using the System.Security.Cryptography.HMACSHA1 class. I'm guessing you could hash the SQL membership users passwords with HMACSHA1 and call it good.

See Add User with hashed password for more details.

answered Feb 06 '13 at 16:02

Douglas Ludlow

10,754
6
30
54

It's using encryption, not hashing. I'm 100% sure of that because I can decrypt the DB strings (which would not be possible with hashes). – Ian Grainger Feb 07 '13 at 09:23
@IanGrainger, The `UmbracoMembershipProvider` has the `passwordFormat` set to `Hashed` by default unless you've set it to `Encrypted`. – Douglas Ludlow Feb 07 '13 at 16:47
Yes, I had used Encrypted. – Ian Grainger Feb 07 '13 at 16:59

Encrypted passwords in asp.net SQLMembershipProvider and Umbraco membership provider

2 Answers2