Enhancing Sitecore Security: Implementing PBKDF2 for Password Encryption

Here are some key reasons highlighting why PBKDF2 is more important for password encryption compared to the default recommendation of SHA-512 by Sitecore:

1. In the constantly changing world of cybersecurity, depending solely on SHA-512 for password encryption in Sitecore may expose your system to brute-force attacks. PBKDF2, with its key stretching capabilities, provides enhanced protection by significantly increasing the computational effort needed to crack passwords.
2. Although Sitecore’s default SHA-512 hashing algorithm offers a strong basis for password encryption, it falls short in providing the adaptive security needed to address modern threats. PBKDF2 (Password-Based Key Derivation Function 2) enhances security by introducing multiple hashing iterations, adding complexity, and significantly lowering the risk of unauthorized access.
3. While Sitecore’s use of SHA-512 for password encryption is effective, it may not provide adequate protection against sophisticated hacking techniques. PBKDF2 stands out as a more resilient alternative, designed to slow down brute-force attempts by incorporating multiple rounds of hashing and salting.
4. As cybersecurity threats continue to escalate, the standard SHA-512 hashing algorithm recommended by Sitecore might not provide the necessary defense against sophisticated attacks. PBKDF2 offers an enhanced level of security by making the password-cracking process exponentially more difficult.

Using PBKDF2 with Sitecore

The .NET framework includes a class that implements the PBKDF2 algorithm, but its implementation can be challenging to integrate with a membership provider. Fortunately, the Zetetic.Security NuGet package simplifies this process by wrapping PBKDF2 into a KeyedHashAlgorithm, making it easily compatible with membership providers.

Here are the steps:

1. Add a reference to the Zetetic.Security package in your project.

dotnet add package Zetetic.Security --version 1.1.0

2. Open your Global.asax file and add the following code.

 public void Application_BeginRequest(object sender, EventArgs args)
 {
     System.Security.Cryptography.CryptoConfig.AddAlgorithm(typeof(Zetetic.Security.Pbkdf2Hash), "PBKDF2");
 }

3. Update your web.config file to use the PBKDF2 hashing algorithm.

 <membership defaultProvider="sitecore" hashAlgorithmType="PBKDF2"> <!-- SHA512 -->
      <providers>
        <clear />
        <add name="sitecore" type="Sitecore.Security.SitecoreMembershipProvider, Sitecore.Kernel" realProviderName="sql" providerWildcard="%" raiseEvents="true" />
        <add name="sql" type="System.Web.Security.SqlMembershipProvider" connectionStringName="security" applicationName="sitecore" minRequiredPasswordLength="8" minRequiredNonalphanumericCharacters="1" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" passwordStrengthRegularExpression="(?=.{8,})(?=.*[\d])(?=.*[a-z])(?=.*[A-Z]).*" />
        <add name="disabled" type="Sitecore.Security.DisabledMembersipProvider, Sitecore.Kernel" applicationName="sitecore" />
        <add name="switcher" type="Sitecore.Security.SwitchingMembershipProvider, Sitecore.Kernel" applicationName="sitecore" mappings="switchingProviders/membership" />
      </providers>
    </membership>

Expected Issue: Once you change the existing hashing algorithm, all current users, including the Admin, will be unable to login because the existing hashes are in SHA512, and the membership provider will now expect PBKDF2 hashes.

Solution (Reset Admin and other user’s passwords):

1. You can use the ‘Forgot your password’ option if the mail server settings have been configured in your instance. However, in most cases, the mail server is not set up in the Dev environment.
2. First, reset your admin password using the ResetAdminPassword page. Simply copy this page into your Sitecore virtual directory. I suggest placing the file in the root directory to avoid any authorization issues. The admin password is hardcoded as ‘Password@1234’ on this page, but you can change it to your preferred password.
3. Next, reset the other user’s passwords using the Sitecore Admin panel. However, this can be cumbersome if there is a long list of users. To perform this task in bulk, use the below PowerShell script, which will generate passwords for all users at once.
4. Once the passwords are generated in bulk, a popup window will display the list of users. You can export this list to an Excel or CSV file, or you can send the list directly via email.
5. This script will not reset the passwords for any admin users, such as sitecore\ServicesAPI, sitecore\Admin, or sitecore\coveouser, etc.
6. The user-specific password format is EmailID_TempPwd@01. You can adjust the script to suit your preferences.

#Admin account pwds shouldn't be reset
$adminUsers = @('sitecore\ServicesAPI', 'sitecore\Admin','sitecore\coveouser')

$userInfo = @()
$pwdStr = '_TempPwd@01'
 
#Filter Sitecore domain users.. If you custom domains, you can also filter through it.
Get-User -Filter "sitecore\*" | ForEach-Object{
    if($adminUsers -notcontains $_.Name){
        #New PWD EMAILID + SALT
        $newPWD = $_.Profile.Email.Split('@')[0] + $pwdStr
        #Reseting New Pwd
        $_ | Set-UserPassword -NewPassword $newPWD -Reset
        #Custom Object to export it
        $userInfo += @{Name =  $_.Name; Email =$_.Profile.Email;Pwd = $newPWD}
        Write-Host $_.Name, $_.Profile.Email, $newPWD
    }
     
}
 
#Custom Object to export it
$props = @{
        Title = "Password Information"
        InfoTitle = "Total $($userInfo.Count) items found!"
        InfoDescription = "The passwords for the following users have been reset."
        PageSize = 2500
    }
    [string[]] $columns = "Name"
    [string[]] $columns +=  "Email"
    [string[]] $columns +=  "Pwd"
     
    $userInfo | Show-ListView @props -Property $columns

So far, everything is good, and you should be able to login to Sitecore with the new password using PBKDF2 hashing.

There is still one catch — while the PBKDF2 implementation from the Zetetic team, developed using 5000 iterations, works well with Sitecore login (sitecore-instance.sc/sitecore/login), it won’t work if you have configured the Identity Server login in Sitecore.

So, how do you configure the Identity Server to use the same algorithm as the Membership provider in your Sitecore instance?

You need to create a new Identity Server plugin that uses the PBKDF2 hashing algorithm. You can follow this article, which clearly guides you through the process.
https://sitecore.stackexchange.com/questions/17980/how-to-enable-custom-hashing-algorithm-on-identity-server

That’s it. As cyber threats become more advanced, ensuring robust password security in your Sitecore environment is paramount. By transitioning from SHA-512 to PBKDF2, you’re taking a significant step toward protecting your users and data from potential breaches. Implementing PBKDF2 not only strengthens your security posture but also future-proofs your Sitecore setup against evolving threats.

You can find my other blogs here.

Thank you!