How are passwords hashed?
I am implementing a requirement to prevent the users password from matching the last 5 passwords they used when they reset or change their password.
In K12 we used the UserGUID as part of the hash. All members were Users.
But in XbyK, Users are just for the CMS and Members are site only (correct?). Is the MemberGuid being used instead to hash member passwords?
Are there any other changes to the password hash in XbyK?
Environment
- Xperience by Kentico version: [30.3.1]
- .NET version: [8]
- Execution environment: [local]
- Link to relevant Xperience by Kentico documentation
Answers
TLDR; All of the K12 code for membership is gone. XbyK is based completely on modern ASP.NET Core features, including Identity.
Correct, members and users are completely separate in Xperience by Kentico. Members only have access to the customer experience of various channels and users only have access to the Xperience administration UI. They are stored in different tables in the db and have different security rules applied to them based on how you configure your application (ex: MFA, cookie expiration, SSO, etc...)
Both user and member authentication uses standard ASP.NET Core Identity for passwords - nothing special, nothing custom. You can view the code for the password hasher used by Identity. The default password hash iteration count is 100,000 iterations!
You can read more details about ASP.NET Core's implementation of password hashing, but here's two things to consider:
- It's security by default.
- You don't want to customize it.
To response this discussion, you have to login first.