Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...The use of Hashed Passwords in DNN 4.9.5 and 5.xThe use of Hashed Passwords in DNN 4.9.5 and 5.x
Previous
 
Next
New Post
2/26/2010 2:03 PM
 
Rob Ralston

Joined: 12/18/2005
Posts: 96

This question is related to both DNN v4.9.5 and the latest v5. I am not using v5 yet, but certainly will.

I've wanted to use Hashed passwords ever since I started using DNN when v4 first came out. Yes they are not as convenient as encrypted, but they are more securely stored. I have reported problems in Gemini years ago about password resets. I just tried this again with DNN 4.9.5 and it is still problematic if a users forget their password.

If they click on Forgot password, they get the form to "send password". If they enter their username and click send, it will ask the security question entered. When the answer is filled in correctly, again, the only option is to click on "Send Password" and they are presented with an error.

"Password retrieval is disabled on this site. Please contact an administrator for assistance in retrieving your account details"

Of course password retrieval is disabled since the password is hashed, but there needs to be a way to recover from this, by allowing the user to enter a new password via a secure mechanism. An admin cannot even set a new password for the user. And if the admin hits force password change, you're really in trouble. Isn't the "RequireQuestionAnswer" setting supposed to assist in a reset process?

Unless DNN 5.x has fixed this, it seems it is being completely ignored. So what is the verdict on this. Does it work, or will it ever work properly? Does anyone know?

In Gemini DNN-4568 suggests this was fixed a long time ago, but I don't think so.

Thanks,

Rob

Rob Ralston, SilverBullet Technologies LLC, www.silverbullettech.com
 
New Post
2/26/2010 3:21 PM
 
Rob Ralston

Joined: 12/18/2005
Posts: 96

After some addtional testing I want to add some clarification to my previous post.

If "requiresQuestionAndAnswer" is set to "false", then an admin can reset the user's password and an email will be sent to the user with a randomly generated new password. The admin could immediately also set "force password change" so the user could login, but then must change the PW. This would ensure that passwords sent in clear text emails could not be used long term. So this is helpful.

However, the main problem with this of course, is that the admin must be involved. On a small site, no big deal, but not good on a large site. So it would still be helpful if the user had a self service mechanism which would accomplish the above through a password reset request. But it would then be best if the "requiresQuestionAndAnswer" is set to "true" for registrations, so only the real user could easily request a reset.

Rob

Rob Ralston, SilverBullet Technologies LLC, www.silverbullettech.com
 
 Page 1 of 1
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...The use of Hashed Passwords in DNN 4.9.5 and 5.xThe use of Hashed Passwords in DNN 4.9.5 and 5.x


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out