Change the hash algorithm for password encryption

Current version: 10.4

Applies to

All core roles that require Sitecore client access (Content Management and EXM Dispatch).

Sitecore Installation Framework

Hash algorithm not changed by default.

Azure Toolkit

Hash algorithm not changed by default.

For user management, Sitecore uses the Microsoft ASP.NET membership provider by default.

When you create a new website, you must change the weak default hash algorithm (SHA1) that is used to encrypt user passwords to a stronger algorithm. The supported hash algorithms are listed in the Microsoft documentation for the CryptoConfig Class.

To change the hash algorithm:

  1. Login as an administrator while still having the SHA1 configuration in both Sitecore XP and the Identity Server.

  2. Modify the configuration files so both Sitecore and Identity Server use the same setting value.

    1. Update the web.config file. In the <membership> node, set the hashAlgorithmType setting to the appropriate value. We recommend that you use SHA512.

    2. If you use Sitecore Identity, you must also change the algorithm on the Sitecore Identity server. You specify the algorithm in the PasswordHashAlgorithm node in the \sitecore\Sitecore.Plugin.IdentityServer\Config\identityServer.xml file.

  3. Use the User Manager application to change the admin password, so that it is hashed with the new algorithm.

    Note

    After you have changed the hash algorithm, you are no longer able to type a new admin password when you want to change it. Instead, to get a new hashed admin password, click Generate.

  4. Update the passwords for other users to hash them with the new algorithm.

Important

The Microsoft ASP.NET membership provider does not provide a facility for upgrading to a different hash algorithm after you have created some user accounts. If you change the hash algorithm, existing users can no longer log into the system and must create new passwords.

Do you have some feedback for us?

If you have suggestions for improving this article,