Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeGetting StartedGetting StartedNew to DNN Plat...New to DNN Plat...Password SecurityPassword Security
Previous
 
Next
New Post
10/9/2011 8:23 PM
 
Scott Willhite


alkihomes.com
Joined: 4/11/2003
Posts: 3047
Anyone up for contributing such a module to the Extensions Forge?  I am sure it would be very popular! ;-)

Scott Willhite, Co-Founder DNN

"It is only with the heart that one can see rightly... what is essential is invisible to the eye. "
~ Antoine de Saint-Exupéry
 
New Post
10/9/2011 11:08 PM
 
April Spence


devcentral.f5.com
Joined: 11/4/2005
Posts: 562
I've been extending the module originally created by Mitchell Sellers (http://www.iowacomputergurus.com/free-products/dotnetnuke-modules/secure-password-recovery.aspx) and plan to release it as a free extension to Michell's module (with is permission). It expands on the original by adding capthca for the passwrod recovery as well as a "spoof proof" guid based email link and the ability to resolve multiple accounts using the same email address.

I need to finish up a few details and have our security partner scan it for any know or open brute force, information leakage and anti-automation vulns.

Steven Webster
Manager, Community Platform
F5 Networks, DevCentral
 
New Post
10/14/2011 7:40 AM
 
April Spence


devcentral.f5.com
Joined: 11/4/2005
Posts: 562
Ended up contributing these changes back to Mitchel Sellers. You can download his free password recovery module here:

http://www.iowacomputergurus.com/free-products/dotnetnuke-modules/secure-password-recovery.aspx

PS - multiple account resolution did not make this build...something I'm still working on and will post back to Mitchel when proven.


Steven Webster
Manager, Community Platform
F5 Networks, DevCentral
 
New Post
10/14/2011 11:19 AM
 
Mike Ryckman


Joined: 4/17/2011
Posts: 519
Thanks Steven - I'll check that out.

Maybe it's just me though, but I feel like this situation could be tremendously improved with two pretty simple moves.

First, DNN should ALWAYS default to "Hashed" instead of "Encrypted" passwords. If somebody wants to use Encrypted passwords, cool, but I just don't think it should ever be the default.

Second, they should add a line to the password reset procedure that marks the user for forcing a password change on login. I put a request in gemini on this a while back and never heard anything on it... then I realized that a bunch of other basically identical requests were put in and those were ignored too. The thing is that DNN will reset a users' password to a random string and email them their new temporary password, but, it doesn't force them to change the password on login... which is nuts for like 10 different basic reasons.

Anyway - that'd be my thought on it...

Mike
 
New Post
10/19/2011 1:08 AM
 
Anna@CD


Joined: 10/9/2011
Posts: 47
Mike Ryckman wrote:
First, DNN should ALWAYS default to "Hashed" instead of "Encrypted" passwords. If somebody wants to use Encrypted passwords, cool, but I just don't think it should ever be the default.

Second, they should add a line to the password reset procedure that marks the user for forcing a password change on login. I put a request in gemini on this a while back and never heard anything on it...

Mike

With hashed passwords users can never reset their password - they'd have to create a new account. Bit of a problem for a lot of sites.

The bigger issue is to ensure your site is not part of a hacking chain - users have the same passwords for multiple sites most of the time, and if the password is ever exposed via a DNN site it could become the 'lever' for further user account hacks on other sites.

We looked at this every which way trying to use the core or Mitch's module, and in the end had to write the new one to ensure a graceful yet secure two step password reset. While I'd like to be able to give it away free it represents a lot of commercial development hours, so it's a paid one - but very cheap for the peace of mind!

I have no doubt that this type of functionality will become core in time, but for now there is at least a module available to solve the problem.

 
 Page 2 of 3
Previous123Next 
Previous
 
Next
HomeHomeGetting StartedGetting StartedNew to DNN Plat...New to DNN Plat...Password SecurityPassword Security


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out