There are multiple different formats that can be used to store passwords in the database. They may be saved either in plain text or as the result of a security hash function.

You can choose which option should be used in Site Manager -> Settings -> Security & Membership -> Passwords via the Password format setting:

The Password format setting is stored in a database table Users.


Password salt

Passwords are usually stored using the SHA2 hash format with the additional application of a salt. Salt is a string that is appended to passwords before they are encrypted, which helps protect the passwords against dictionary or other types of brute force attacks. It also ensures that every user has a different password hash, even if multiple users have the same password.

In Kentico, we add two types of salt to the password: 

Password and salt are composed in this way:

Password Custom saltPassword salt

Please keep in mind that, if you change the password format, it only affects how future passwords will be stored. Existing passwords will remain unchanged. You will need to reset all passwords, so that they are stored in the new format.

For this reason, it is recommended to set the appropriate format directly after installation, before you create user accounts or allow users to start registering.