Password format

When creating a user, you can specify how the password is stored in the database. You can choose between the following values of the MembershipPasswordFormat:

• Clear (0)
• Hashed (1)
• Encrypted (2)

For more information about each value, read here.

Default password format

When creating a user, the default password format value of the provider is assigned to the user object. To modify the default value of the provider, you must perform the following:

1. Log in to the Sitefinity CMS backend.
2. From the menu, click Administration » Settings.
3. Click Advanced Settings.
4. In the tree view, navigate to Security »Membership providers.
5. Click the provider that you want to modify.
6. Navigate to Parameters» passwordFormat.
7. Enter one of the MembershipPasswordFormat values as a string.
8. Click the Save changes button.

Changing password format

When changing the password format for a specific user, you must force the password of the user to be re-encoded. To do this, you must call the ChangePassword method of the Telerik.Sitefinity.Security.UserManager object.

To specify the password format, you use the PasswordFormat property of the Telerik.Sitefinity.Security.Model.User object. It is of type int and you must use the integer representations of the MembershipPasswordFormat enumeration. For example:

using System.Web.Security;
using Telerik.Sitefinity.Security;
using Telerik.Sitefinity.Security.Model;

namespace SitefinityWebApp
{
    public class ChangePasswordFormat
    {
        public static MembershipCreateStatus CreateUser(string username, string password, string firstName, string lastName, string mail, string secretQuestion, string secretAnswer, bool isApproved)
        {
            UserManager userManager = UserManager.GetManager();
            
            System.Web.Security.MembershipCreateStatus status;

            User user = userManager.CreateUser(username, password, mail, secretQuestion, secretAnswer, isApproved, null, out status);
            
            //Change the user password format variant 1

            user.PasswordFormat = (int)MembershipPasswordFormat.Hashed;

            //Change the user password format variant 2

            user.PasswordFormat = 1;

            userManager.SaveChanges();
            
            return status;
         }                    
    }
}

For more information, see the For developers: Change the password of a user example.

Salt

Sitefinity CMS membership uses Salt for additional security, when encoding the passwords. For more information about what Saltis, read here.

When creating a user, a Salt value is automatically assigned to the user object. You can access and change this value through the Salt property of the Telerik.Sitefinity.Security.Model.User object. To generate a new Salt for the users, use the GetRandomKey method of the Telerik.Sitefinity.Security.SecurityManager object and pass the desired length. Here is an example:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Telerik.Sitefinity.Security;

namespace Telerik.Sitefinity.Documentation.CodeSnippets.DeepDive.Security.Users
{
    public partial class UsersSnippets
    {
        public static string GenerateSalt(int byteLength)
        {
            return SecurityManager.GetRandomKey(byteLength);
        }
    }
}