By default InstantForum uses salted SHA512 hashes for all user passwords. InstantForum supports multiple password encryption and hashing algorithms. You can configure the method InstantForum will use by editing the "InstantASP_CryptographyMethod" application setting within the InstantForum web.config.
<add key="InstantASP_CryptographyMethod" value="SHA512" />
It's important the choose the right hashing or encryption algorithm to use for user passwords before your installation is deployed into production. Typically you don't need to change this value however if you do change this it's important to remember once your installation has real users changing the encryption options may prevent users from further logins.
The supported encryption & hashing options for this setting are...
This weak encryption option is provided for legacy reasons and should not be used for new InstantForum installation. We would not recommend using this option.
This weak encryption option is provided for legacy integration reasons and should not be used for a fresh InstantForum installation. We would not recommend using this option.
SHA1, SHA256, SHA384 or SHA512
InstantForum 2013 and above uses SHA512 by default to one way hash all user passwords. Passwords are salted before being hashed using a unique cryptographically safe random salt for each user. Whilst this option is quite secure if an attacker gains direct access to your database they will have access to all user hashes and salts. Whilst it's more time and resource intensive it's still possible for a knowledgeable attacker to dictionary / rainbow attack salted SHA hashes.
HMAC is similar to SHA hashing but offers a further layer of protection through the use of a private key contained within your applications web.config file that is also used to generate password hashes. If an attacker gains direct access to your database they would have access to user hashes and salts but they would not have access to the private key also used to generate the hash making dictionary / rainbow attacks virtually impossible.
AES support was added with our InstantForum 2015-1 release.
Unlike SHA or HMAC AES is not a hashing algorithm but is a key based two-way encryption algorithm. Whilst AES allows passwords to be reversed it's still currently a more secure option than all hashing algorithms.
By default the implementation of AES within InstantForum uses a 256 bit private key which can be defined within the InstantForum web.config file so it's independent from your database where encrypted passwords are stored.To edit this private key you would need to edit the "InstantASP_CryptographyAESKey" option within the web.config. Further comments are provided within the web.conf g file.
InstantForum also uses the more secure cipher block chaining (CBC) for our AES implementation rather than EBC. You can set a unique 128 bit initialization vector for CBC mode again within the InstantForum web.config file by modifying the "InstantASP_CryptographyAESVector" application setting.
Salt & Pepper
InstantForum uses a unique cryptographically safe per user salt which is combined with user passwords before hashing occurs and the hash is stored in the database. In addition to a unique per user salt for extra security InstantForum also combine an application wide "Pepper" with the per user salt before hashing occurs. This pepper is stored separately from your database within your InstantForum web.config file.
You can see this pepper below...
<add key="InstantASP_CryptographyHashPepper" value="1092317465" />
We would strongly suggest changing this default pepper to any valid integer before you deploy IstantForum. Once users have created accounts within InstantForum and if your using one way hashing for user passwords you cannot change this pepper. Changig the pepper will prevent existing users who have a hashed password from logging in.
By default InstantForum never stores user passwords within the database. We only store a one way salted & peppered hash representing the users password. This hash is generated whenever the user attempts to login and compared against the hash in the database.
If a user forgets there password and is not able to login to InstantForum they can choose to have a password reset link sent to there email address. A user can then use this link to provide a new password. Password reset links will expire over time and will immediately expire the moment the user provides a new password.
If you are using newer encryption / hashing option MD5, SHA, HMAC, AES we will never send a users password in plain text via email. If you are using our legacy TripleDES encryption option passwords will be sent in plain text via email. Newer versions of InstantForum use SHA512 for hashing by default.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!