Hashed passwords

Return to previous page

  • 4/7/2015
  • 4623 Views

Comments

4623 Views

Hashed passwords

Last updated 4 years ago

Comments

Common

(Enter the content of this article below)

Advanced

 

Background

In DotNetNuke 7.1.0, the default Password Format is being changed from encryption to hashing. This only applies to new installs, upgraded sites will retain the old format of encryption. To verify the setting, or change it to an alternative value users can check their existing setting and see that it is in the following format:

 <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SiteSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresUniqueEmail="false" passwordFormat="Hashed" applicationName="DotNetNuke" description="Stores and retrieves membership data from the local Microsoft SQL Server database"/>

Advantages of hashing

As hashing is a one-way operation, it means that if a website is compromised and the database is accessed/stolen, the hacker cannot calculate the users password easily. If the site uses encryption and the hacker had the decryption code, then decrypting the password is a trivial action, however with hashing this is much more difficult. If a site is using hashed passwords, a hacker would have to attempt to crack these by using dictionary/rainbow table attacks (where large lists of pre-hashed potential passwords are checked), which is a much more intensive operation. In addition, DotNetNuke adds user specific SALT values to ensure that the hacker would need to generate new lists for each individual user account. This additional effort provides better security for a site, which is why DotNetNuke uses hashing as the new default with 7.1.0

Disadvantages of hashing

As hashing is a one-way operation, then any code which attempts to decrypt the user's password will fail. On occasion such code can exist for legitimate purposes such as validating if the user is providing their current password, however this cannot be supported in 7.1.0 and above.
Contents
No sections defined
Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out