MD5 for password encryption in Kentico 10
Kentico 10 introduced a new password format, much safer, which is great!
PBKDF2 - the default and recommended option with the strongest security applies a cryptographic function to passwords and repeats the operation many times.
New Kentico no longer supports MD5 encryption considered to suffer from extensive vulnerabilities.
Recently we had a case that required importing users from an old system into Kentico and of course without affecting user credentials.
We needed to implement a custom functionality that re-enabled MD5 password format support in Kentico 10. Funny, no?
First for User Import, we wrote a simple piece of code, that creates users (reading them from an excel)
For the import to work and save the password, as it comes from excel, in Kentico set password format to be saved as plain text. This should be changed back to default value, or any other password formats after import.
After import, in Kentico DB, these users will have UserPasswordFormat set to MD5 event though Kentico 10 does not have this option.
Now, all is left to implement is a custom Authentication Module that allows these users to log in without changing their passwords.
The code looks like this:
On module initialization, assigns a handler to the SecurityEvents.Authenticate.Execute event
The authentication method should validate users password based on the password format.
Use .Net MD5CryptoServiceProvider to get MD5 hash: