• Publisert
  • 1 min

Default hash algorithm changed from SHA1 to HMACSHA512 in EPiServer 7

If you're starting a new EPiServer 7 project designed to share credentials with another system, beware that the default algorithm has been changed.

In .NET 4 / MVC 4, Microsoft introduced the Universal Membership Provider - a new provider layer that expands on the default Roles/Membership/Session/User profile schemes.

To increase security for the new provider, the default hash algorithm in .NET 4 was changed from SHA1 to HMACSHA256, which results in a stronger hashed password, meaning brute force password cracking will take significantly longer.

EPiServer also decided to adopt the new hash algorithm type in CMS 7. You may have noticed the hashAlgorithmType attribute in your web.config:

   <membership defaultProvider="MultiplexingMembershipProvider"   userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">   

In CMS 6, the hashAlgorithmType attribute was not specified by default, meaning it would default to .NET's default algorithm - SHA1.

According to EPiServer dev team, it was a design decision that the default hash algorithm in EPiServer 7 should at least match the default setting in .NET 4. They even went one step further and used HMACSHA512 (while .NET uses HMACSHA256).

However they did not change the default provider from Multiplexing Membership Provider to Universal Membership Provider, leaving this decision up to developers.

How does this affect my project?

If you plan to share login credentials with another system that uses SHA1 (or any other algorithm than HMACSHA512), both systems need to be configured to use the same hash method. Beware that different hash algorithms produce different hash results, so don't change your algorithm type after you have begun creating user accounts.

Note that when upgrading your site from CMS 6 to CMS 7, the hash algorithm will not be changed - as this would invalidate all the old passwords stored.

For more reference...

See Scott Hanselman's blogpost about the introduction of the Universal Membership Provider.

Also check out Troy Hunt's blogpost about the new hash algorithm for some interesting stats concerning bruteforcing and performance related to the new hash algorithm.