what kind of hashing does umbraco use in its membership provider

Asked 10/1, 2013 at 3:52 Answered 12/9, 2017 at 15:15

I need to move users off of Umbraco to another CMS and all their passwords are hashed. I'd like to prevent users from resetting their passwords and would like to implement the same hashing algorithm in the new CMS.

What hashing type does Umbraco use in its membership provider?

for example

"W477AMlLwwJQeAGlPZKiEILr8TA=" is the hash of "test"

I cannot use .net and will have to re-implement this hashing in javascript.

UPDATED WITH ANSWER:

//not sure why I can't use cryptojs's utf16LE function
//words = CryptoJS.enc.Utf16LE.parse("test");
//utf16 = CryptoJS.enc.Utf16LE.stringify("test");

function str2rstr_utf16le(input) {
  var output = [],
      i = 0,
      l = input.length;

  for (; l > i; ++i) {
    output[i] = String.fromCharCode(
      input.charCodeAt(i)        & 0xFF,
      (input.charCodeAt(i) >>> 8) & 0xFF
    );
  }

  return output.join('');
}

var pwd = str2rstr_utf16le("test");
var hash = CryptoJS.HmacSHA1(pwd, pwd);

var encodedPassword = CryptoJS.enc.Base64.stringify(hash);
alert(encodedPassword);

Susan answered 10/1, 2013 at 3:52 Comment(1)

You really saved my day, thanks for sharing this. – Thurston 11/8, 2015 at 8:14

To be more specific, it uses this particular class to hash the password. This should serve as a simple implementation example.

Like Martijn pointed out, though, Umbraco uses the standard provider model. As such, you can both access it easily via the abstract classes, and create your own implementation of a membership provider.

Metalloid answered 10/1, 2013 at 23:6 Comment(2)

unfortuantely I have to create a javascript implementation so I can't extend or use the .net class. I tried a default hmacsha1 with a blank key but that didn't seem to reproduce the same results. – Susan 10/1, 2013 at 23:10

Aha, good old javascript implementation. I'm guessing..mobile?:) Either way, I knew I came across this at some point in the past. The issue is the encoding used by the library you're using (I assume crypto.js). This thread should prove enlightening. – Metalloid 10/1, 2013 at 23:23

Umbraco is using the ASP.NET Membership Provider model, meaning that all the abstract classes which are provided Out-Of-The-Box with ASP.NET are capable of accessing the Umbraco Member. Check this link for more information about the ASP.NET Membership provider.

Bahrain answered 10/1, 2013 at 8:21 Comment(1)

according to the asp.net membership provider doc, it's a sha1 hash with base64 encoding by default, but that doesn't produce the result above. Is there a default salt value? – Susan 10/1, 2013 at 18:19

If you want to do it in C#, you can use the following hashing method:

public static string GetHash(string password) { 
    byte[] passwordBytes = Encoding.Unicode.GetBytes(password);
    using (var hash = new HMACSHA1(passwordBytes)){ 
       return Convert.ToBase64String(hash.ComputeHash(passwordBytes)); 
    }
}

Freiburg answered 12/9, 2017 at 15:15 Comment(0)

Recommended topics

Hot tags