本文章转载自 http://blog.reneorban.com/2014/10/hash-and-salt-umbraco-passwords.html
By default right now (I'm testing on version 7.1.4) Umbraco one way hashes both Member and User passwords for you. However also by default it will not salt your passwords. Salting passwords is nearly as important as hashing in the first place. For example if "johny48@email.com" was to sign up for your website with the password "test" it would by default produce a entry in the database like this:
As you can see the password is hashed to the value "W477AMlLwwJQeAGlPZKiEILr8TA=". However there is no salt on this password, so if "kate39@example.com" came along and also registered using the password "test" we would get the same hash value:
This is not very good from a security point view. These values could very easily be rainbow tabled (just type "W477AMlLwwJQeAGlPZKiEILr8TA=" into google and you will most likely find the original value).
As you can see the password is hashed to the value "W477AMlLwwJQeAGlPZKiEILr8TA=". However there is no salt on this password, so if "kate39@example.com" came along and also registered using the password "test" we would get the same hash value:
This is not very good from a security point view. These values could very easily be rainbow tabled (just type "W477AMlLwwJQeAGlPZKiEILr8TA=" into google and you will most likely find the original value).
Enabling Password salting
Umbraco actually supports hashing and salting as standard and its very easy to enable. Within your Web.Config file you will find a node called "membership". Under this node you will find two providers named "UmbracoMembershipProvider" and "UsersMembershipProvider". By default these will have the attribute "passwordFormat" set to "Hashed" - brilliant! However there is a second option named "useLegacyEncoding" that by default it is set to "True". This is what causes the non salted passwords. To enable salting simply set "useLegacyEncoding" to "False". You can see what this will do by looking at their code on their GitHub.
After setting "useLegacyEncoding" to "False" I can update my members password to "test" again and we will be generated two completely different hash values.
The Catch
Now there is a catch to this. Because we have changed the way that passwords are validated and stored poor johny48 and kate39 will no longer be able to log into our site. They will have to update/change their passwords before their able to once again login.
So if you have a existing site with members and users this might cause you a few problems...However if your starting a site fresh this really is a must.
Additionally because there are two different membership providers you could enable salting for just members and not users or vice versa.