DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.
  • Search Forums
    Advanced Search
Prev
Next
Forums Using DNN Platform Administration and Configuration

Password hashing method, unclear how it works, trying to replicate

 5 Replies
 4 Subscribed to this topic
 40 Subscribed to this forum
Sort:
Author
Messages
Adam K Dean
New Around Here
Posts: 1
New Around Here
7/26/2024 2:33 AM

Hi all,

I'm working with a project that is using DNN v. 09.11.02 (0). As part of the project I need to be able to support the existing users by implementing in Node.js the same password hashing algorithm that is used by DNN. It is configured with a SqlMembershipProvider specifying hashed passwords, and in the machineKey tag it specifies SHA1.

I've done quite a bit of exploration, which you can see on my StackOverflow cross-post: https://stackoverflow.com...nt138924164_78793875

But essentially, when putting together the salt and the password, the hash I'm getting out is consistently different than what is stored.

I'm wondering if anyone here has any knowledge of why this may be — whether a different hashing method is used in this version of DNN, or whether something happens to the password before it is hashed?

Any and all suggestions & help would be greatly appreciated.

Kind regards

Adam

 

Michael Tobisch
Veteran Member
Posts: 1182
Veteran Member
MVP
MVP
You're an MVP!
7/26/2024 4:41 AM

Not really sure about it, but here seems to be the login method...

Happy DNNing!
Michael

Michael Tobisch
DNN★MVP

DNN Connect
1
liked by Members
Adam K Dean
New Around Here
Posts: 1
New Around Here
7/26/2024 5:50 AM
Hi Michael

Thanks for getting back to me. I've had a look over that and other areas of DNN but can't work out what's different here. I can't see any changes to the password, e.g. pre-hashing, appending values etc, that would make DNN's use of ASP.NET's MembershipProvider different. But — I may have missed something.

It seems like a very niche issue, and I'm sure it's something simple, but somehow I think the passwords are being mutated before being stored.
Michael Tobisch
Veteran Member
Posts: 1182
Veteran Member
MVP
MVP
You're an MVP!
7/29/2024 8:43 AM

Adam,

I never inspected these methods, but I would try to find the called function and analyze it from the source code. This would give you more information about it. But I am pretty sure it's quite straightforeward. Hopefully someone who has a deeper knowledge than me about this will answer soon...

Happy DNNing!
Michael

Michael Tobisch
DNN★MVP

DNN Connect
2
liked by Members
Will Strohl
Senior Member
Posts: 1607
Senior Member
MVP
MVP
You're an MVP!
New Poster
New Poster
Congrats on posting!
8/14/2024 7:37 PM

GitHub is down at the moment, but you may want to compare how you're doing your hashing to how DNN does it.  When GitHub comes back online, check out the <code>EncryptAES</code> method in the <code>DotNetNuke.Security.FIPSCompliant</code> class.  You may find yourself hashing it a bit differently. 

The other thing I'd triple-check and trace is whether you're using the exact same values as DNN.  

Daniel Valadas
Veteran Member
Posts: 349
Veteran Member
3 Helpful Replier
Helpful Replier
Thanks for being such a helpful replier!
MVP
MVP
You're an MVP!
Engaged Reader
Engaged Reader
You are an engaged reader!
Avid Reader
Avid Reader
Avid Reader art thou!
8/14/2024 11:04 PM
I don't think hashed passwords go through that method. I think it is just passed down to the asp.net provider. Don't quote me on it though I did not dig further on that.

These Forums are for the discussion of the open source CMS DNN platform and ecosystem.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy
  2. No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
  3. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  4. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  5. No Flaming or Trolling.
  6. No Profanity, Racism, or Prejudice.
  7. Site Moderators have the final word on approving / removing a thread or post or comment.
  8. English language posting only, please.

Would you like to help us?

Awesome! Simply post in the forums using the link below and we'll get you started.

Get Involved