Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN Minimum Password LengthDNN Minimum Password Length
Previous
 
Next
New Post
8/11/2006 2:40 PM
 
ScaryHobo

Joined: 8/8/2006
Posts: 27
Im sure you've all tried to enter in a password that was too short when registering for a website. My favourite password is five characters long and i HATE being asked to enter one at least 6-8 characters long.

Dont get me wrong, I understand the concept for important things, such as online bank accounts or anything with important personal information. I have a secure usb flash drive where i keep important documents with 128bit encryption and my password for that is a 10 char mixture of numbers, letters and special characters.

However, when i want to sign up to a stupid website forum, where the only information being protected is my real name and email address (assuming i entered real details) it makes little sense to enforce high security. Besides which, if someone really wanted to access my account on a forum there are much easier ways of doing it. Chances are i could exploit a security flaw in the CMS or hosting environment

What about brute force attacks? password lengths minimums are intended to increase the possible combinations of the password, with each extra character exponentially increasing the time required to try all the possible combinations. Brute force hacking on the web is much slower than a locally run application, each attempt is a full postback taking potentially a few seconds. Chances are the amount of attempts required on even a 5 char password would be enough to fire off warning signs to your ISP form denial of service attack or irregular use.

Length has nothing to do with personal referenced passwords, if i used my dogs name aand you guess it because i know you IRL or something then it wouldnt matter if its was 15 chars or 2 because you bypassed the guessing process.

So if you own a website that requires registration consider the value of the information you're storing and the ease of alterative access methods before SACRAFICING USABILITY of your website. If someone cant remember their login because they've been forced to make a new one, then if they do come back (and presumably you want them to) theyre not going to be able to login until theyve requested a new one and waited for 15 minutes for the email to arrive. All of which translates to a negative experience stacked against you.

PS: Trying to register for DNN prompted this post.

 
New Post
8/11/2006 6:20 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

jeffrey,

they're all fair points (i prefer to only create a user of a website if i'm likely to return consistently, and not just to access a single article/module - i run my own website without requiring user/passwords). Some of the problems probably come from dotnetnuke.com's default settings, so I wanted to point out a few things just in case people don't know. First of all, you can disable the requirement for membership (we support 4 different modes, one of which 'none' means you don't need username/passwords).

If you do plan on having username/password combinations for users, then you can choose the minimum size and complexity by changing the minRequiredPasswordLength and minRequiredNonalphanumericCharacters values respectively in your web.config. For a long time we had a default requirement of 4 character passwords, but this was consistently raised in a number of security audits as an insecure default, so we raised it recently to 7. The "Hardening DotNetNuke Installations.pdf" document in the documentation download mentions this, and details the steps to raise/lower this limit.

As far as dictionary based attacks, ISP's would not typically be aware of them, unless they're using huge numbers of requests. Typically with a postback architecture, the dictionary attacks don't overwhelm the web application itself, so whilst slower are harder to detect. We've support for auto-lockouts built into dotnetnuke (under host->host settings), but again if you wish you can disable this (this is also detailed in the doc I mentioned earlier)

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
8/12/2006 3:36 AM
 
John Mitchell


www.snapsis.com
Joined: 4/18/2003
Posts: 3987

 

Thanks for bringing this to my attention Jeffrey. I never gave it that much thought, but I just pushed mine back to 5 characters.

DotNetNuke Modules from Snapsis.com
 
 Page 1 of 1
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN Minimum Password LengthDNN Minimum Password Length


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out