Decrypting passwords to migrate from v7 to v10
# help-with-umbracos
Sean Tarrant
05/16/2024, 10:17 AMCurrently migrating members from v7 to v10 using CMSImport but ran into a blocker with passwords.
Hash algorithms are different from v7 to v10 so can't migrate the passwords.
Has anyone had previous experience of this? Or any type of password decryption?
j
Jemayn
05/16/2024, 10:49 AMThink what most people end up doing is resetting all member passwords, whether that is sending bulk emails asking them to reset their password or setting a flag on them that you catch on logins to let them know they need a new password
k
kdx-perbol
05/16/2024, 10:53 AMPasswords are undecryptable. Can't you set the v10 hash algorithm to the v7 one?
kdx-perbol
05/16/2024, 10:54 AMMaybe you could extend the built-in member provider and replace the password part. Either the actual validation mechanism, or the algorithm.
s
Sean Tarrant
05/16/2024, 11:00 AM@Jemayn yeah, we're now thinking about resetting on first login if we can't migrate the passwords
Sean Tarrant
05/16/2024, 11:01 AM@kdx-perbol Hash algorithm types are different in v7 and v10 so can't.
j
Jemayn
05/16/2024, 11:20 AMThe benefit is then you can also force them into new and better password complexity requirements π
a
Ambert
05/16/2024, 11:20 AMComplexity isnt persΓ© better π
j
Jemayn
05/16/2024, 11:34 AMVery true, mostly just speaking from experience with lots of old v7 sites that had really low minlength requirements..
I see in the docs that it says atleast the latest v7 defaults to 10 chars, so may have been a deliberate choice on several of the old sites I've worked on..
s
Sebastiaan
05/16/2024, 11:35 AMLong is great, complex.. doesn't matter as much indeed
Sebastiaan
05/16/2024, 11:35 AMWe started requiring longer passwords in v7 only in the later versions, so probably not a deliberate choice to begin with!
j
Jemayn
05/16/2024, 11:38 AMAhh that may explain it - just remembering a customer complaining that it wont allow him to use his old password after a migration to a 9+ version.. the password was the zip code he lives in which is a 4 digit number π
s
Sebastiaan
05/16/2024, 11:52 AMπ omg
k
kdx-perbol
05/16/2024, 1:00 PMI think you can override the
MemberSignInManagers
SiempreSteve
05/21/2024, 7:43 AMI have an alternative approach.
v10 site looks to see if member exists on login. If not - hits an API in the old website I've written with the username and password. If the v7 site can log them in a response with their user details is returned. The v10 site then creates the member - hashes the password supplied and logs the m7 member in.
The member has no idea this has happened in the background - there's no messy migration. You obviously need to secure this api and it does mean running a copy of the v7 site in a secure manner out of sight but it works well. (HInt - remember to cover use cases for forgotten passwords).
h
huwred
05/21/2024, 7:54 AMI also used the same process as Steve, with one minor difference, if the old password failed the new validation criteria it created the new member with a randomly generated password and redirected them to the password reset page
3 Views