Secure user and password management

Return to previous page

  • 4/7/2015
  • 5920 Views

Comments

5920 Views

Secure user and password management

Last updated 6 years ago

Comments

Common

(Enter the content of this article below)

Advanced

 

Background

DotNetNuke ships with sensible defaults for both password storage as well as password complexity (to avoid users picking unsafe passwords). However sites can opt to change these for enhanced security - these decisions should be made prior to a site being installed as changing them after installation can lead to passwords being invalidated and users not being able to log in.


Password requirements

The web.config contains a DNNSQLMembershipProvider node. This contains two attributes,minRequiredPasswordLength & minRequiredNonalphanumericCharacters attributes that are used in conjunction to determine the required complexity of the
passwords DotNetNuke requires. Their defaults are 4 and 0 respectively. These values are used, as historically they correspond to the default length and complexity of the “host” account. You can alter these to more secure defaults i.e. 8 characters , one of
which must be non-alphanumeric

Default Setup

<add name="DNNSQLMembershipProvider" 

type="DotNetNuke.Security.Membership.DNNSQLMembershipProvider, DNNSQLMembershipProvider"
connectionStringName="SiteSqlServer" enablePasswordRetrieval="true"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0"
requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="DotNetNuke"
description="Stores and retrieves membership data from the local Microsoft SQL Server
database" />



More Secure Setup – increased password length to eight characters, and required at least one non-alphanumeric characters.

<add name="DNNSQLMembershipProvider" 

type="DotNetNuke.Security.Membership.DNNSQLMembershipProvider, DNNSQLMembershipProvider"
connectionStringName="SiteSqlServer" enablePasswordRetrieval="true"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
minRequiredPasswordLength="8" minRequiredNonalphanumericCharacters="1"
requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="DotNetNuke"
description="Stores and retrieves membership data from the local Microsoft SQL Server
database" />


Note: If you choose to increase the web.config defaults, you must also alter the two default users (“admin” and “host”) so their passwords match this rule, otherwise installation will fail. To do this, open the file at install/DotNetNuke.install.resources. Locate the and nodes, and change the respective subnodes to reflect the new rules e.g.

Default setup

<superuser> 

<firstname>SuperUser</firstname>
<lastname>Account</lastname>
<username>host</username>
<password>host</password>
<email>host</email>
<locale>en-US</locale>
<timezone>0</timezone>
</superuser>


Secured setup – host password is eight characters long with one alpha-numeric character

<superuser> 

<firstname>SuperUser</firstname>
<lastname>Account</lastname>
<username>host</username>
<password>dnnhost!</password>
<email>host</email>
<locale>en-US</locale>
<timezone>0</timezone>
</superuser>


Note: This change is probably the single most important hardening step, as increasing the length and complexity of the two known accounts (“host” and “admin”), significantly reduces the chances of someone cracking one of them using a dictionary based attack. With the release of DotNetNuke 3.3/4.1, the default password length has been extended to 7, and the relevant files have been updated.


Password storage format

The DNNSQLMembershipProvider node also defines the storage format of the passwords. By default DotNetNuke uses encryption of user passwords. This provides a good level of protection, and allows you to retrieve your password as encryption is a reversible operation. However, if you do not wise to support password retrieval, or want to ensure maximum protection, you may choose to use Hashing instead. Hashing is a non-reversible operation, so even if your database is accessed or stolen, a hacker cannot reverse engineer your password.

Snippet of default setup

…requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="DotNetNuke"… 


Alternative setup utilizing Hashed passwords

…requiresUniqueEmail="false" passwordFormat="Hashed" applicationName="DotNetNuke"…
Contents
No sections defined
Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out