Introduction

As of EPiServer 4.41 passwords for extranet users are stored cryptographically hashed in the database. This means that the password cannot be retrieved in its original form; passwords can only be changed or compared with credentials entered by the user. Together with the hash value, a per user generated salt value is used to season passwords, in affect enhancing the protection by, for example, ensuring that users with identical passwords get different hash values.

This feature is enabled by default on all new installations but not on upgrades. Even though the EPiServer API is fully backward compatible, there may be other reasons for not wanting to enable this:

• You have custom functionality that for some reason reads the password directly from the database. This approach is not recommended by ElektroPost.
• You have an upgraded EPiServer 3 site that is using extranet users with EPiSec. EPiSec is not compatible with hashed passwords.

Passwords for Windows and LDAP users are never stored in the database and are not affected by this feature. This only applies to extranet users created in EPiServer.

To enable this feature just make sure the EPfEnableClearTextPasswords is set to False. If you have existing users you need to convert all passwords to the hashed version using the tool described below or manually change password of all users.

Install conversion tool

Unzip the file to your webserver, the ConvertToHashedPasswords.aspx should be placed in the admin directory for security reasons. Then open http://SITENAME/admin/ConvertToHashedPasswords.aspx in your web browser and hit the "Convert" button.

Download conversion utility