Hello,

I saw a different password question that got me thinking, again, about what is perhaps my single biggest issue with DNN: the approach to passwords.

First, (from the other thread) why on earth do you have the ability to decrypt our passwords? DotNetNuke.com probably has millions of user accounts... it seems to me like it's just a sitting target for hackers. I actually use a dotnetnuke.com-only password for this exact reason - I know DNN's passwords are insecure. I just think this is embarrassing to DNN and to the project. It would be particularly embarrassing if the DNN database was stolen. Of course, that's not tremendously likely, but, from a security perspective, you should just assume it happens every day.

Second, why do all the default email templates email people's passwords to them? This is totally insecure and further broadcasts DNN's poor password defaults.

Lastly, why is there such poor support for better password management - like using hashed passwords? The password reset stuff doesn't force the user to change their password, and admins need to change a bunch of different email templates to keep DNN from emailing their passwords out...

I know some people will respond and say "because our users like password reminders"! But, that's bad policy... we know better than the users and we know password reminders aren't worth the security risks... that's why reputable companies use resets and not reminders. You might say that "admins can choose more secure passwords if they want", but, why not let them choose the less secure option? I have no problem with some admin going the opposite way, but, DNN should default to the best option.

Sorry for the harsh tone here, but in my mind, this is a major failing of DNN. Users have complained about it for years too... Mitchell Sellers had a great post on this a few years ago, for example, as well as a good follow-up post at DNNgalary... 

Hope all's well,

Mike

Thanks Mitchel... I think a secure install package is a great idea. I also agree it's smart to come up with a consistent feature list. I feel like the question discussed in the dnngallery follow-up to your post is a tough call though.... I'm referring here to the link to reset vs. the temporary passwords. 

One of the things that was frustrating with the security stuff was that a lot of it could be made better by just changing a few defaults in the install package. The more things that need to be added to DNN, the more trouble these changes will be and the longer they will take. Given that, I would break up the recommended updates into two groups, an "immediate" group and a "long term" group.

Immediate:

• Remove any passwords from email templates
• Force a password change the first time a user logs in after a reset (this does require a code change, but it's a minor change and the request is already slated for 6.2.3 I think.)
• Change defaults in web.config membership provider
  • Hashed Passwords
  • Password recovery = false
  • Password reset = true

Long Term:

• Create method for password change using a link to the user rather than a temporary password
• Improve flexibility and options in password question and answer framework. For example, make it possible to have multiple questions or a question list defined by administrators.

Thanks; hope all's well,

Mike

For anybody interested, I added some of this stuff as a community voice request last week:

http://www.dotnetnuke.com/Community/C...

Mike