Hashing Passwords

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
12/28/2011 8:17:13 AM
Leslie
Gravatar
Total Posts 28
View Posts
~Leslie

Hashing Passwords

I'm new to mojoPortal and password hashing procedures.  I have some questions about how passwords are hashed and the possible values outlined in the mojoMembershipProvider.cs/WebConfigSettings.cs files.

My first question:  in researching what type of hashing is used as a default in mojoPortal, I found a post saying it is MD5x3.  I found the MD5 procedure, but what designates that it is x3?  In stepping through the code, it only runs through the hash procedure once as far as I can tell.  Where is the loop or is it not x3?

Second question:  In the mojoMembershipProvider.cs file, code exists for using SHA512 hashing, which is what we'd like to use, but this option is commented out with a note saying, 'TODO: we can't currently use SHA256 or SHA512 because the password field in the db is not big enough to store the hash.'   Another comment on the WebConfigSettings.cs file says, 'possible values, MD5 (default), SHA256, SHA512 for future use currently we can only use MD5 because the password field in the db is only nvarchar(128) SHA256 requires 256 bits and SHA512 requires 512 bits we will need to change to ntext (to support SQL 2000).'

In checking dbo.mp_Users, the Pwd field is nvarchar(1000), and in testing hashed passwords using the SHA512 code in my development environment, everything worked.  Was the field size increased for this field but not updated in the documentation?  I'd like to verify this before a decision is made to publish the modifications to the web site.

Thanks,

Leslie

12/28/2011 8:27:07 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Hashing Passwords

Hi Leslie,

The field size was increased but I haven't yet got to implementing the changes. It is going to require some care to correctly handle upgrades without breaking anything or locking users out and requiring a password reset.

The comments in code are not exactly what I have in mind at this point. I'm thinking of using sha512 by default but having a process to handle sites that were upgraded such that if the hashed entered  password doesn't match a sha512 hash then we'll check against the older hash and if that matches we'll update the password field with the password re-hashed using sha512. We no longer support SQL 2000 so that is no longer an issue.

I should be able to get to completing this in the near future.

Best,

Joe

12/28/2011 8:49:42 AM
Leslie
Gravatar
Total Posts 28
View Posts
~Leslie

Re: Hashing Passwords

Thanks for the fast response Joe.  What about the x3 question?  Is the default MD5 run x3?

 

Leslie

12/28/2011 9:12:34 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Hashing Passwords

Hi Leslie,

No it is just MD5, where did you see a post about that?

Best,

Joe

12/28/2011 9:18:06 AM
Leslie
Gravatar
Total Posts 28
View Posts
~Leslie

Re: Hashing Passwords

Here's the link where it references the x3:  https://www.mojoportal.com/Forums/Thread.aspx?pageid=5&mid=34&ItemID=9&thread=4715&postid=19838 (I did a search on 'hash').

Thanks again Joe!

12/28/2011 9:35:44 AM
Leslie
Gravatar
Total Posts 28
View Posts
~Leslie

Re: Hashing Passwords

And after re-reading your original response, do you think it would be safe to go from clear text to hashed implemented through sha512 in mojoMembershipProvider.cs?  We haven't modified the password format to hashed yet, so there wouldn't be a need to match up existing records.

12/28/2011 9:51:17 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Hashing Passwords

Hi Leslie,

If you are producing your own build from source code I suppose you could change that, but in general I recommend avoid forking the code.

Since I am planning to change to sha512 it might not be a problem except for the fact that I plan to use salt in the hashing as well and that is not currently implemented in the methods available in mojoMembershhipProvider. I'll probably make it check if there is a salt value in the PasswordSalt field and if not then hash without it so it may not pose a problem but it is something to be aware of.

I'm going to have to change the code from using the SiteUser.Login method which just returns  the username if the password is correct (as checked in the database after hashing the password and passing it in), and instead bring back the user based on the email or login name if he exists and then validate inside mojoMembershipProvider so that I can pull back the hashed password and the salt with one hit to to db since I can't do the hashing and salting in the database (at least not in all the supported database layers).

But if that is the only change you make it may work out ok to upgrade later where your changes will be lost and mine will replace them, it would just mean that your existing users before upgrading would not have the salt.

Best,

Joe

12/28/2011 9:57:50 AM
Leslie
Gravatar
Total Posts 28
View Posts
~Leslie

Re: Hashing Passwords

Okay, I appreciate the explanation.  I'm going to pass your information to the development team before making a decision.  If you're interested, I'll let you know what they decide and how it goes if they do decide to go with the sha512 before your modifications are complete.  Thanks!

~Leslie

You must sign in to post in the forums. This thread is closed to new posts.