[Enhancement]: Change password hash from SHA1 to SHA256 #6614
Description
Is there an existing issue for this?
- I have searched the existing issues
Description of problem
DNN uses the SqlMembershipProvider with hashed passwords. Passwords are encrypted one-way using the SHA1 hashing algorithm. Passwords are hashed including an additional PasswordSalt (16 characters), which is random for every user.
NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013, and declared that it should be phased out by 2030
Source: Wikipedia
“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,”
Source: NIST Retires SHA-1 Cryptographic Algorithm (December 15, 2022):
Description of solution
Change Hash Algorithm from SHA1 to SHA256.
This requires a few changes, especially in:
- web.config:
<membership ... hashAlgorithmType="SHA256"> - DNN MembershipPasswordController
- Backward compatibility for Passwords and PasswordHistory, which currently have everything in SHA1
Description of alternatives considered
No response
Anything else?
- Password encryption used by DNN (DNN Corp. Support)
- Hashed Passwords (DNN Community Wiki)
Do you be plan to contribute code for this enhancement?
- Yes
Would you be interested in sponsoring this enhancement?
- Yes
Code of Conduct
- I agree to follow this project's Code of Conduct