Menu

Search

InstantASP Support

Help & Support


User Passwords Within InstantForum


Securing InstantForum

By default InstantForum uses salted SHA512 hashes for all user passwords. InstantForum supports multiple password encryption and hashing algorithms. You can configure the method InstantForum will use by editing the "InstantASP_CryptographyMethod" application setting within the InstantForum web.config.

For example...

<add key="InstantASP_CryptographyMethod" value="SHA512" />

IMPORTANT
It's important the choose the right hashing or encryption algorithm to use for user passwords before your installation is deployed into production. Typically you don't need to change this value however if you do change this it's important to remember once your installation has real users changing the encryption options may prevent users from further logins.

The supported encryption & hashing options for this setting are...

TripleDES

This weak encryption option is provided for legacy reasons and should not be used for new InstantForum installation. We would not recommend using this option.

MD5

This weak encryption option is provided for legacy integration reasons and should not be used for a fresh InstantForum installation. We would not recommend using this option.

SHA1, SHA256, SHA384 or SHA512

InstantForum 2013 and above uses SHA512 by default to one way hash all user passwords. Passwords are salted before being hashed using a unique cryptographically safe random salt for each user. Whilst this option is quite secure if an attacker gains direct access to your database they will have access to all user hashes and salts. Whilst it's more time and resource intensive it's still possible for a knowledgeable attacker to dictionary / rainbow attack salted SHA hashes.

HMAC

HMAC is similar to SHA hashing but offers a further layer of protection through the use of a private key contained within your applications web.config file that is also used to generate password hashes. If an attacker gains direct access to your database they would have access to user hashes and salts but they would not have access to the private key also used to generate the hash making dictionary / rainbow attacks virtually impossible.

AES

AES support was added with our InstantForum 2015-1 release.

Unlike SHA or HMAC AES is not a hashing algorithm but is a key based two-way encryption algorithm. Whilst AES allows passwords to be reversed it's still currently a more secure option than all hashing algorithms.

By default the implementation of AES within InstantForum uses a 256 bit private key which can be defined within the InstantForum web.config file so it's independent from your database where encrypted passwords are stored.To edit this private key you would need to edit the "InstantASP_CryptographyAESKey" option within the web.config. Further comments are provided within the web.conf g file.

InstantForum also uses the more secure cipher block chaining (CBC) for our AES implementation rather than EBC. You can set a unique 128 bit initialization vector for CBC mode again within the InstantForum web.config file by modifying the "InstantASP_CryptographyAESVector" application setting.

Salt & Pepper

InstantForum uses a unique cryptographically safe per user salt which is combined with user passwords before hashing occurs and the hash is stored in the database. In addition to a unique per user salt for extra security InstantForum also combine an application wide "Pepper" with the per user salt before hashing occurs. This pepper is stored separately from your database within your InstantForum web.config file.

You can see this pepper below...

<add key="InstantASP_CryptographyHashPepper" value="1092317465" />        

NOTE
We would strongly suggest changing this default pepper to any valid integer before you deploy IstantForum. Once users have created accounts within InstantForum and if your using one way hashing for user passwords you cannot change this pepper. Changig the pepper will prevent existing users who have a hashed password from logging in.

By default InstantForum never stores user passwords within the database. We only store a one way salted & peppered hash representing the users password. This hash is generated whenever the user attempts to login and compared against the hash in the database.

Password Resets

If a user forgets there password and is not able to login to InstantForum they can choose to have a password reset link sent to there email address. A user can then use this link to provide a new password. Password reset links will expire over time and will immediately expire the moment the user provides a new password.

If you are using newer encryption / hashing option MD5, SHA, HMAC, AES we will never send a users password in plain text via email. If you are using our legacy TripleDES encryption option passwords will be sent in plain text via email. Newer versions of InstantForum use SHA512 for hashing by default.


Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details

Product: InstantForum
Type: INFO
Rated 1 star based on 1 vote
Article has been viewed 2.5K times.
Last Modified: Last Year
Last Modified By: Ryan Healey

Options

Similar Articles