Hashing for fun and profit…

Nope, not cannabis, nor potato, but rather this:

Yup, password hashes in Sitecore. Unfortunately, they’re not all that secure – but they can be.  Continue reading “Hashing for fun and profit…”

Hashing for fun and profit…

Password Strength Estimation with zxcvbn

Following up my last post about Troy Hunt and breached passwords, I thought I’d look at something it mentioned – zxcvbn password strength estimation. Password strength estimators are, as a rule, crap. Usually it’s simply “is there a number, is there a capital”, etc., so passwords like “P@ssword1234” can come out as being ‘strong’, which is clearly wrong.

zxcvbn (awful name) attempts to make a smarter estimate of password strength. Basically, it looks at your password, and tries to estimate its strength based on appearances in dictionaries, structure, and entropy. It’ll then give an estimated “time to crack”, and tell you any matches that were achieved. For example (and neither of these are good passwords – score goes up to 4, and you want to get at least 3):

Yup, that’s pretty cool.

It’s available as a Nuget package (and is implemented in some form in most frameworks). The original zxcvbn was intended to run solely within the browser – but it still had a 0.5 Mb of dictionary files to download. That’s built into the assembly for the Nuget.

Testing a password – that’s simple:

var result = Zxcvbn.MatchPassword(“Squeamish Ossifrage”);

Neat. Worth considering if you’re implementing a password change or registration feature.

Bonus observation: http://gavinmiller.io/2016/a-tale-of-security-gone-wrong/

Password Strength Estimation with zxcvbn

Check Users Passwords during Registration/Login

Troy Hunt has published the hashes of 306,000,000 passwords that have been breached. And exposed it as a web service.



This lets you tell a user if a given password has appeared in a breach. You send the service a hash of the password, and Troy’s web service responds if that hash has appeared in a breach.

Why is that useful? You can pro-actively inform users if their password has been breached (and recorded in haveibeenpawned) at either registration or login. You may want to block users from using that password, or you could just warn them.

Continue reading “Check Users Passwords during Registration/Login”

Check Users Passwords during Registration/Login

Sitecore Express Upgrade Tool 2.0 Issue

So, you’re doing an upgrade. You copy the live system, run through the upgrade, and test it, before repeating the ‘upgrade’ bit during content freeze with the latest data. So far, so normal; it’s a sensible way to check your system before the big update.

Picture this, if you will. You’ve done the upgrade with a snapshot of the data. It’s taken months. You tested, fixed, tested, fixed, and you’re happy to start the content freeze, run the express migration tool, and go live. So you run the Express Migration tool 2.0, and then try logging in as Admin to check it worked…

Continue reading “Sitecore Express Upgrade Tool 2.0 Issue”

Sitecore Express Upgrade Tool 2.0 Issue

NullReferenceException in Sitecore.ExperienceExplorer.Business.Pipelines .HttpRequest.EnableExperienceModePipeline.Process

Recently I was upgrading a site to Sitecore 8.2.1, and I received the following error:

Okay, WTF? There’s not a lot of information about this error, and I’d never seen it before. I ended up doing my usual trick – decompiling Sitecore to see what this method does. Here’s what I found…

…and the bit underlined in red set my “stupidity radar” screaming. This line is:

string database = SiteContext.GetSite(Settings.Preview.DefaultSite).SiteInfo.Database;

If GetSite() returns null, you’ll get a null reference exception, because they didn’t bother to check the returned variable before trying to use its ‘SiteInfo’ property.

It does offer a clue, though. Our upgraded system lacks a site called ‘website‘. That is, in our config, under the <sites> node, there is no <site ... > called ‘website‘. However, the DefaultSite setting in Sitecore.config still had its default value of ‘website‘.

We changed it to the name of our site, and this error was resolved.

NullReferenceException in Sitecore.ExperienceExplorer.Business.Pipelines .HttpRequest.EnableExperienceModePipeline.Process

This server could not prove that it is … its security certificate is from [missing_subjectAltName]

Yesterday, I had a working development site suddenly start throwing SSL errors:

The error message was:

This server could not prove that it is [Server Name] its security certificate is from [missing_subjectAltName]

Huh? What broke this?

Well, it turns out that Chrome had updated to Chrome 58, which removed support for the “Common Name” field. Instead, we’re supposed to use the “Subject Alternative Name” (SAN) field. That’s unfortunate; the IIS ‘Create Certificate Request‘ option we’d used resulted in a certificate with no Subject Alternative Name field. That could be a result of how it was handled – I didn’t create the certificate – but it looks like Windows MakeCert doesn’t handle Subject Alternative Names, so I wouldn’t be surprised if this is a general Windows issue.

The SSL cert continued to work without a SAN just fine in IE, but Firefox and Chrome now demand it, and so were throwing SSL errors.

Now, it seems that the Subject Alternative Name is what we’re actually supposed to use, and that publicly trusted certs have used both fields for years – but in our development server, using our own CA, that wasn’t the case.

See How to Request a Certificate With a Custom Subject Alternative Name.

This server could not prove that it is … its security certificate is from [missing_subjectAltName]