Is there an existing issue for this?
Description of problem
DNN uses the SqlMembershipProvider with hashed passwords. Passwords are encrypted one-way using the SHA1 hashing algorithm. Passwords are hashed including an additional PasswordSalt (16 characters), which is random for every user.
NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013, and declared that it should be phased out by 2030
Source: Wikipedia
“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,”
Source: NIST Retires SHA-1 Cryptographic Algorithm (December 15, 2022):
Description of solution
Change Hash Algorithm from SHA1 to SHA256.
This requires a few changes, especially in:
- web.config:
<membership ... hashAlgorithmType="SHA256">
- DNN MembershipPasswordController
- Backward compatibility for Passwords and PasswordHistory, which currently have everything in SHA1
Description of alternatives considered
No response
Anything else?
Do you be plan to contribute code for this enhancement?
Would you be interested in sponsoring this enhancement?
Code of Conduct
Is there an existing issue for this?
Description of problem
DNN uses the SqlMembershipProvider with hashed passwords. Passwords are encrypted one-way using the SHA1 hashing algorithm. Passwords are hashed including an additional PasswordSalt (16 characters), which is random for every user.
Source: Wikipedia
Source: NIST Retires SHA-1 Cryptographic Algorithm (December 15, 2022):
Description of solution
Change Hash Algorithm from SHA1 to SHA256.
This requires a few changes, especially in:
<membership ... hashAlgorithmType="SHA256">Description of alternatives considered
No response
Anything else?
Do you be plan to contribute code for this enhancement?
Would you be interested in sponsoring this enhancement?
Code of Conduct