Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


Securing DotNetnuke Installs - Passwords

A while back I released a tool called Secure My Install that was designed to help people take existing DotNetNuke sites and change the way that they store passwords to use a more secure process.  Many people have used that module successfully to convert their sites, however, I never took the time to share the few small steps that are needed to simply "secure" your site as soon as you set it up so that you can avoid all of the hassle in the beginning.  In this post I'll walk through the simple process of changing your configuration to go from Encrypted Passwords to Hashed passwords and a bit of detail as to "why" you want to make the change.

Why Hashed Instead of Encrypted?

This is a pretty common question that I get from people and the short, simple answer is with regards to how the passwords can be used.  If you have Encrypted passwords, it is possible to retrieve the users current password and e-mail it to them.  It is equally as easy for any custom module to read the passwords of user accounts with a simple API call.

Hashing the passwords uses a forward-only method to store the passwords in a secure pattern, and when users login the same hashing process is used to validate the password, rather than decrypting the password and comparing it.  Additionally when hashed password resets from the core will send users a new password, which helps to reduce the risk exposed by sending passwords via e-mail in that at least you are not potentially giving away a users "common" password.

Where Is This Configured?

The configuration of the Membership system is done in the web.config, and a default DotNetNuke configuration section looks like this.

<add name="AspNetSqlMembershipProvider" 
    type="System.Web.Security.SqlMembershipProvider" 
    connectionStringName="SiteSqlServer" 
    enablePasswordRetrieval="true" 
    enablePasswordReset="true" r
    requiresQuestionAndAnswer="false" 
    minRequiredPasswordLength="7" 
    minRequiredNonalphanumericCharacters="0" 
    requiresUniqueEmail="false" 
    passwordFormat="Encrypted" 
    applicationName="DotNetNuke" />

The property we are concerned with is the "passwordFormat" field as well as the "enablePasswordRetrieval" property.  We need to be concerned with both, as it isn't possible to 'retreive' your password when they are hashed, so failing to change both properties will result in errors.

How/When to Make the Change

Now, on the surface this looks like a really simple change, update two values, and we are done, right?  Well it isn't quite so easy as there are a number of things you need to look at, so I'll discuss the actual change and situations to consider.

The Change

For all scenarios the changes are the same, enablePasswordRetrieval should be set to false and passwordFormat should be set to "Hashed".  As with any change of this nature, be sure to take a full site and database backup, just in case it doesn't workout as planned.

New Installs - Before Installation

When working with a new install, if you make the changes noted above BEFORE you run the install wizard, you will have a portal setup from the beginning with the proper configuration.  This way is the most preferred as it is simple, quick, and doesn't expose you to any risks at all.  Once the portal is installed, simply use as you would normally.

New Installs - Limited User Base

If you have a newer installation but don't yet have a large number of users on the system you can still make the change, your existing users will be able to login to the portal, but their passwords will forever be in the "Encrypted" state.  (Per my testing).  Once you make the change, it is recommended that you create "different" users for each of these user accounts, which will keep all users secure, and all users with the same password format.  You can simply delete the old user accounts.

Now, as you can imagine this is not an ideal situation, so doing it before you install is the best option overall

Existing Installs - Large User Base

This conversion requires a lot more effort to change and coordinate.  I have written a module that does this, but am working through issues on DNN 5.5.x and later where it isn't working as it should.  Regardless, a more manual process is needed to temporarily decrypt the passwords, then one-by-one reset the user passwords back to the same thing, just hashed this time around. 

Conclusion

I hope that you find this helpful.  Keeping user information secure is a very important task, and this is just one way that we can help keep things secure.

This post has been cross-posted from my Personal Blog

Comments

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out