Setting the user password format

There are multiple different formats that can be used to store passwords in the database. They may be saved either in plain text (not recommended) or as the result of a security hash function.

You can choose which option to use in Settings -> Security & Membership -> Passwords via the Password format setting:

  • The default and recommended option is SHA2 with salt.

Note: Changing the password format only affects how future passwords will be stored. Existing passwords remain functional, but are stored in their original format (the CMS_User database table contains a column that specifies the format of each user’s password). You need to reset all passwords to store them in the new format.

For this reason, we recommend setting the appropriate password format directly after installation, before you create user accounts or allow users to start registering.

Password salt

Passwords are usually stored using the SHA-2 hash function with the additional application of a salt. A salt is a string appended to passwords before they are hashed, which helps protect the passwords against dictionary or other types of brute force attacks. It also ensures that every user has a different password hash, even if multiple users have the same password.

Kentico adds two types of salt to the password:

  • User salt - by default, the GUID of each user (stored in the UserGuid column) is appended to the passwords before the hash function is applied.

  • Password salt - to increase the length of the salt (to further improve the security of hashed passwords), you can define a custom string that the system appends to every password. Add the following key into the <appSettings> section of your web.config file:

    
    
    
      <add key="CMSPasswordSalt" value="SaltText" />
    
    
      

The following diagram shows how the password and salt values are composed before the hash function is applied:

Password

User salt

Password salt