For user management, Sitecore uses the Microsoft ASP.NET membership provider by default.
When you create a new website, you must change the weak default hash algorithm (SHA1) that is used to encrypt user passwords to a stronger algorithm.
To change the hash algorithm:
- Open the
web.configfile and in the
<membership>node, set the
hashAlgorithmTypesetting to the appropriate value. We recommend SHA512.
All the supported hash algorithms are listed at CryptoConfig Class.
The Microsoft ASP.NET membership provider does not provide a facility for upgrading to a different hash algorithm after you have created some user accounts. If you change the hash algorithm, existing users can no longer log into the system and must create a new password.