Skip to main content

Checkup Documentation

Password format is not recommended

severity-high cms-settingskey-password-format-recommendation

Summary

Kentico provides several options for storing user passwords in the database. The passwords can either be secured using a cryptographic function or saved in plain text (not recommended).

Depending on the version of Kentico, the recommended password format is either PBKDF2 (for K10 and up) or SHA-2 with salt (for older versions).

More info can be found here:
https://docs.xperience.io/k12sp/securing-websites/designing-secure-websites/securing-user-accounts-and-passwords/setting-the-user-password-format


Check Logic

Constant Care for Kentico will ensure the Password format setting is the recommended format (default)

You can manage your settings for this checkup in the Constant Care for Kentico admin settings.


Resolution

To determine how your users' passwords are being stored, you can navigate to the Settings application and then find the Security & Membership > Passwords General settings.

On Version K10 and up, we would recommend setting it to "PBKDF2", as this is the strongest security option at this time. For older versions, please set it to SHA-2 with salt.

IMPORTANT: This will only change passwords going forward. If you have users with passwords in other formats, and you would like them to be in the new format, you would need to put a plan in place to have those users reset their passwords.

Not sure what to do?

If you are ever unsure about making changes to your site, we encourage you to reach out to your Kentico Xperience Gold Partner. If you do not have a partner, then feel free contact the Constant Care For Kentico team to get connected with an expert.