Okay, this this relates to my recent post on password hashing in Sitecore, and why we should move away from SHA1. Let’s say you’ve decided to use SHA512 for a brand new instance like Sitecore recommend…
When you create a new website, you must change the weak default hash algorithm (SHA1) that is used to encrypt user passwords to a stronger algorithm.
To change the hash algorithm:
- Open the web.config file and in the node, set the hashAlgorithmType setting to the appropriate value. We recommend SHA512.
Okay, funky, but how do I make the existing admin’s password work?
- Log in to Sitecore, change the setting in the web config, and when your site reloads, quickly change your password before the session expires.
- Run the following SQL in your CORE/Security database to set the password:
set [Password] = 'K8N8GUW8UiNT2mPdjvuBDH+QmvA3R61M9buVvCwFHwtDjpMzTxs34lg0uQ0azCITqh6FkUZlX4kM72lsAyuyXQ=='
where [UserId] = '4342515E-2BF6-4480-91CE-A2D9ACE502A8'
and [PasswordSalt] = 'p5B6HOWKt0ctMZaSNXTlfw=='
This should set the Admin’s password to ‘b’. Obviously, you should then change that to a secure password or passphrase.
Update: For Sitecore 9.0.1, this will need to be:
Update [aspnet_Membership] set [Password] = '2hwfEqtM7gDFekQaV/IOkog5DFmxRtywvUsRJqRf7j82Ns3pUkiu/WohjLk8mIV2+7MjXdMeO9MgAUjildTLtg==', [PasswordSalt] = 'ETJOU1+PX4CwEOw/eN3F6Q==' where [UserId] = '68FFFAA2-1FFE-4006-B661-A8B6B80C81DE'
It seems that the Powershell scripts set a different password and salt for different instances.
This is a lot like how I suggested fixing lock admins before. Note that user ids and password salts seem to change across Sitecore versions; this matched a couple of my Sitecore 8.2 (update 4 and 5) instances, but is a different user id and salt to what worked for my Sitecore 7.5 instances. You may need to check the aspnet_Users table to find your Admin user’s user ID.