"Invalid username or password" message after changing the hashing algorithm from SHA1 to SHA512

  • After applying security hardening steps that are recommended in the Change the hash algorithm for password encryption article, user authentication through Identity Server might fail.

    Note that changing the algorithm does not change the passwords already stored in the database and they might need to be generated again.

  • To fix the issue perform the following steps:

    1. Download the Hotfix for Sitecore XP 9.1.0 - Sitecore XP 9.1.1.
    2. Extract the ZIP file contents to locate installation instructions and related files inside it.
      Note that the hotfix was built specifically for Sitecore XP 9.1., so, do not install it on other Sitecore XP versions or in combination with other hotfixes, unless explicitly instructed by Sitecore Support. Unless stated differently in the installation instructions, install the hotfix on CM instance and then sync it with other instances using regular development practices.
    3. Login as an administrator while still having the SHA1 configuration in both Sitecore XP and the Identity Server.
    4. Once the hotfix is installed in the Identity Server, modify the configuration files so both Sitecore and Identity Server use SHA512:
      • Change the encryption alghoritm in the /sitecore/Sitecore.Plugin.IdentityServer/Config/identityServer.xml file
        from:
        <PasswordHashAlgorithm>SHA1</PasswordHashAlgorithm>
        to:
        <PasswordHashAlgorithm>SHA512</PasswordHashAlgorithm>
      • In the Web.config file, in the <membership> node, set the hashAlgorithmType attribute to SHA512.
    5. Use the User Manager application to change the admin password for it to get hashed with the new algorithm. A user should still be logged in from the first step even after an AppPool recycle due to the config changes. The approach of changing the admin password to a preferred one does not work now as old password cannot be verified due to hash algorithm change. Therefore, use the Generate button to get a new hashed admin password.
    6. Use the same method as above to change other users' passwords.

Applies to:

CMS 9.1 Initial Release - 9.1 Update-1

CMS 9.2 Initial Release

January 22, 2020
February 11, 2020

Reference number:

302092