Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss..."Password reminder" and security problem"Password reminder" and security problem
Previous
 
Next
New Post
10/8/2008 3:43 PM
 
Mike

Joined: 11/13/2006
Posts: 6

Hi,

I was very discouraged to test out the password reminder capability of DNN and see that the system emailed me my password.  Emailing me my password is not quite the same as emailing me a password "reminder". 

This is a very serious security issue - users are not informed that their passwords are stored in an unencryptable form when they sign up for a DNN account on your portal.    They are not informed at the time of signup that the portal can send them their actual password by email if they forget it, and they should be.   A user may not like having their own moderately secure password sent to them in their email box, where sometimes they aren't even able to delete the traces of it.

By emailing the user their password, anytime I see someone in any WLAN public location (not connected via VPN)  that I know is using a DNN web portal in their company, I can connect to their DNN site, have their server send them a "Password Reminder", wait for their email to check, and snoop their password.

To make matters even worse, users should be aware that use of the single signon module also exposes those passwords as well - this means that if you are using single signon with windows authentication and are a network administrator and connected even internally via WLAN on your laptop not through VPN and have your email open, anyone in your company that can also connect to your WLAN can easily steal your network administration password.

My suspicion is that most DNN users are not aware of the fact that just having their email client open and checking email on any WLAN not over VPN provides a means for unauthorized password snooping.  And when I forgot my password on this site, I was very displeased to see that my password was sent over plaintext to my own email account when I couldn't remember which password I was using. I had used a variant of my own "medium security" password for access to this forum and portal.

Here is a more industry standard approach:

http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/118/threadid/35249/scope/posts/Default.aspx

Blessings,

Mike

 
 
New Post
10/8/2008 5:03 PM
 
Nick Verhoeven


Joined: 2/8/2008
Posts: 61

Hi Mike,

I think you can't blame dnn, the membership provider it uses is great (and secure).

When users forget there password and let dnn mail it to them you have to security items which the user is responseble for (and not dnn).

1. If you use a mailserver with ssl you have no problem

2. If you use a public WLan (without encryption) you really ask for problems.

 

I think you can't blame dnn for security problems which a users creates. If you check remember password and someone else uses your computer you can't blame dnn that some can login.

 
 
New Post
10/8/2008 6:22 PM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi Mike,

These options are configurable through the provider declaration in your web.config (at configuration/system.web/membership/providers).  For example, the AspNetSqlMembershipProvider supports passwordformat="Hashed", which I always encourage.  If you wish to disable password retreival, add an enablePasswordRetreival="false" to your provider element.  I always recommend hashing passwords and using the requiresQuestionAndAnswer="true".

DNN supports all of these scenarios, allowing a host to set requirements according to the information being protected.  If you're unhappy with these options, you can always plug in a provider and roll your own security.  I almost universally discourage this; it will almost certainly be less secure than the default provider.

I believe this addresses all of your concerns.

Brandon

 

Brandon Haynes
BrandonHaynes.org
 
 Page 1 of 1
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss..."Password reminder" and security problem"Password reminder" and security problem


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out