Change the hash algorithm for password encryption

Last updated Monday, May 1, 2017 in Sitecore Experience Platform for Administrator

For user management, Sitecore uses the Microsoft ASP.NET membership provider by default.

When you create a new website, you must change the weak default hash algorithm (SHA1) that is used to encrypt user passwords to a stronger algorithm.

To change the hash algorithm:

  • Open the web.config file and in the <membership> node, set the hashAlgorithmType setting to the appropriate value. We recommend SHA512.

All the supported hash algorithms are listed at CryptoConfig Class.


The Microsoft ASP.NET membership provider does not provide a facility for upgrading to a different hash algorithm after you have created some user accounts. If you change the hash algorithm, existing users can no longer log into the system and must create a new password.

Send feedback about the documentation to