Save in database Security.PasswordLoginInfo

Hi

I am changed the default password hasher to another and want now to save the hash password in the database on a import job.

Its there a service to alter the passwordhash column in Security.PasswordLoginInfo?
Or should i just use standard SQL statements for this?

Litium version: 7.2

Check out this related thread: Override HashPassword method?

Whats the reason you want to switch the functionality for how the password is hashed?

Hi Nils and Patric

I already changed the passwordhashing. This is because the customer used a Drupal website and wanted to import all of their customer. (And changing/resetting password was not a alternative)

Its there a service to alter the passwordhash column in Security.PasswordLoginInfo? Any suggestion on how this should be altered?

It does not exists any service that you can use for updating the hashed password that exists in the database.

My recommendation in this is that you should use the same pattern that is described in the post that Nils was linking to and updating the database with the old hasing value prefixed with an own symbol, and if the hashed starts with that symbol you know that you should use the old hasing algorithm. If the password hash is then matching the old password hash you send the notification that the password need rehashing and let the system updating the hash to what is standard in Litium.

Not sure what hashing algorithm that the customers Drupal installation is using; it’s depend on the version, Litium is using PBKDF2 and it’s built to be slow; by design, to slow down password dictionary attacks.

Hi again, i tried the suggestion from Nils by adding a CustomPasswordServiceDecorator but it never reaches this code, instead it uses Litiums own : Litium.Application.Security.Cryptography.PasswordHasher.VerifyHashedPassword

Another question is how do i let the system update the hash, is it by just returning PasswordVerificationResult.SuccessRehashNeeded?

thanks for your help!

PasswordVerificationResult.SuccessRehashNeeded result is the way to let the system know that it should rehash the password.

In your case it can be that you should add the decorator on `Litium.Application.Security.Cryptography.PasswordHasher´ instead.

Thanks!. this works perfectly

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.