Skip to main content

Checkup Documentation

Plain text password format

severity-critical cms-settingskey-password-format-is-plain-text

Summary

Kentico provides several options for storing user passwords in the database. The passwords can either be secured using a cryptographic function or saved in plain text (not recommended).

More info can be found here:
https://docs.xperience.io/k12sp/securing-websites/designing-secure-websites/securing-user-accounts-and-passwords/setting-the-user-password-format


Check Logic

Constant Care for Kentico will ensure the Password format setting is not set to plain text (default)

You can manage your settings for this checkup in the Constant Care for Kentico admin settings.


Resolution

To determine how your users' passwords are being stored, you can navigate to the Settings application and then find the Security & Membership > Passwords General settings.

The password format should be anything other than "Plain text".

We would recommend setting it to "PBKDF2", as this is the strongest security option at this time.

IMPORTANT: This will only change passwords going forward. If you have users with plain text passwords, it would be best to put a plan in place to have your users reset their passwords.

Not sure what to do?

If you are ever unsure about making changes to your site, we encourage you to reach out to your Kentico Xperience Gold Partner. If you do not have a partner, then feel free contact the Constant Care For Kentico team to get connected with an expert.