Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeGetting StartedGetting StartedInstalling DNN ...Installing DNN ...hash vs. encrypted passwordshash vs. encrypted passwords
Previous
 
Next
New Post
11/10/2006 2:40 PM
 
rudgr

Joined: 8/13/2006
Posts: 308

hi,

I want to store dnn passwords hashed in stead of encrypted.

Will dnn user still be able to reset their passwords using the forgot password link in the login control?

Thanks in advance
 
New Post
11/13/2006 4:09 AM
 
rudgr

Joined: 8/13/2006
Posts: 308
Hi,

Could anyone please help me out here?

I'm running 4.3.5 and want to harden my install as suggested in "securing dnn, hardening dnn installation".

I changed my web.config from:


<add name="AspNetSqlMembershipProvider"
          type="System.Web.Security.SqlMembershipProvider"
                    connectionStringName="SiteSqlServer"
                    enablePasswordRetrieval="true"
                    enablePasswordReset="true"
                    requiresQuestionAndAnswer="false"
                    minRequiredPasswordLength="7"
                    minRequiredNonalphanumericCharacters="0"
                    requiresUniqueEmail="false"
                    passwordFormat="Encrypted"
                    applicationName="DotNetNuke"
                    description="Stores and retrieves membership data from the local Microsoft SQL Server database" />

to:

<add name="AspNetSqlMembershipProvider"
          type="System.Web.Security.SqlMembershipProvider"
                    connectionStringName="SiteSqlServer"
                    enablePasswordRetrieval="false"
                    enablePasswordReset="true"
                    requiresQuestionAndAnswer="false"
                    minRequiredPasswordLength="7"
                    minRequiredNonalphanumericCharacters="0"
                    requiresUniqueEmail="false"
                    passwordFormat="Hashed"
                    applicationName="DotNetNuke"
                    description="Stores and retrieves membership data from the local Microsoft SQL Server database" />

Installation completes successfully, but when I register a new user, logout,  and then try to fill in my username in the forget password link on the login form, I neither get a succesfull reset password message or an error message saying that password reset failed for some reason.

When I log in as admin and reset the password for theearlier created user, the password is succesfully reset and the user gets a newly generated password.

Also when I install with encrypted passwords instead of hashed, I'm able to request password from the forget password link.

Thanks in advance!!!
 
New Post
11/13/2006 5:32 AM
 
rudgr

Joined: 8/13/2006
Posts: 308
I compared the \Users\Password.ascx.vb code to the \Security\SendPassword.ascx.vb code and found that the resetPassword functionality:

Private Sub cmdReset_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles cmdReset.Click

            Dim answer As String = ""
            If MembershipProviderConfig.RequiresQuestionAndAnswer And Not IsAdmin Then
                If txtAnswer.Text = "" Then
                    OnPasswordUpdated(New PasswordUpdatedEventArgs(PasswordUpdateStatus.InvalidPasswordAnswer))
                    Exit Sub
                End If
                answer = txtAnswer.Text
            End If

            Try
                UserController.ResetPassword(User, answer)
                OnPasswordUpdated(New PasswordUpdatedEventArgs(PasswordUpdateStatus.Success))
            Catch exc As ArgumentException
                OnPasswordUpdated(New PasswordUpdatedEventArgs(PasswordUpdateStatus.InvalidPasswordAnswer))
            Catch ex As Exception
                OnPasswordUpdated(New PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordResetFailed))
            End Try

        End Sub

Is missing in \Secuirty\SendPassword.ascx.vb (it only checks for passwordRetrieval is enabled, not passwordReset is enabled):

Dim objUser As UserInfo = UserController.GetUserByName(PortalSettings.PortalId, txtUsername.Text, False)
                    If Not objUser Is Nothing Then
                        If MembershipProviderConfig.PasswordRetrievalEnabled Then
                            Try
                                objUser.Membership.Password = UserController.GetPassword(objUser, txtAnswer.Text)
                            Catch ex As Exception
                                canSend = False
                                strMessage = Localization.GetString("PasswordRetrievalError", Me.LocalResourceFile)
                            End Try
                        Else
                            canSend = False
                            strMessage = Localization.GetString("PasswordRetrievalDisabled", Me.LocalResourceFile)
                        End If
                        If canSend Then
                            Try
                                Mail.SendMail(objUser, MessageType.PasswordReminder, PortalSettings)
                                strMessage = Localization.GetString("PasswordSent", Me.LocalResourceFile)
                            Catch ex As Exception
                                canSend = False
                            End Try
                        End If
                    Else
                        strMessage = Localization.GetString("UsernameError", Me.LocalResourceFile)
                        canSend = False
                    End If

Is the password reset functionality intentionally left out in forgot password when using Hashed passwords? It is available to the admin/host user in the user management pages. Maybe I'm missing out something here or is this missing functionality in the core? (I guess the forgot password link should at least inform the user that passwordReset is not possible when using hashed passwords )


Thanks in advance
 
New Post
11/13/2006 8:38 AM
 
John Mitchell


www.snapsis.com
Joined: 4/18/2003
Posts: 3987

 

When using a hashed password there is no way to "unhash" it.  A hash is a one-way operation, that is what makes it more secure.  So no, you will not be able to retrieve and send passwords that are hashed, but you wouldn't want to do that anyway if you are trying to harden the security.

I haven't had a chance to try the hashed password functionality on the new membership code yet, but you are correct in that the forgot password link should not try to send a password, it should instead allow the user to reset their password by going through a challenge / answer sequence.

DotNetNuke Modules from Snapsis.com
 
New Post
11/13/2006 8:57 AM
 
rudgr

Joined: 8/13/2006
Posts: 308
Thanks!

I know hashing is irreversible, and users can never retrieve their passwords.  I do want them to be able to reset their passwords.

Can I conclude from your post that when I enable the challange / answer sequence by changing requiresQuestionAndAnswer to True in web.config users themselves can reset their password?

Thanks in advance
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeGetting StartedGetting StartedInstalling DNN ...Installing DNN ...hash vs. encrypted passwordshash vs. encrypted passwords


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out