Last post Dec 29, 2005 08:33 PM by staffanberger
Dec 29, 2005 06:06 PM|staffanberger|LINK
I'm a little confused... I thought that SHA-1 was a one way encoding algorthtm...
However, the DotNetNuke.Entities.Users.UserMembership contains the user's password in plain text.
Is there some config setting so the password also is stored somewhere else non-encoded for "remember password mail usage" and can it be disabled?
Where exactly is the password fetched into the UserMembership object? I did a single step debug several times, but I missed it...
Dec 29, 2005 08:12 PM|cathal|LINK
You're correct SHA1 is used for hashing, and therefore is not reversable, however we use encryption and not hashing as the default password setting. This is set in web.config via passwordFormat , and we're using triple-des encryption. When using encryption
the memberrole API handles the serialisation of the values and the automatic encryption/decryption.
The memberrole api does have an enablePasswordRetrieval attribute but we haven't integrated that functionality (yet) - see the DotNetNuke Membership.pdf doc for more details.
Dec 29, 2005 08:33 PM|staffanberger|LINK
Thanks for clearing this out! I should of course have consulted the documentation more carefully first...