In DotNetNuke 7.1.0, the default Password Format
is being changed from encryption to hashing. This only applies to new installs, upgraded sites will retain the old format of encryption. To verify the setting, or change it to an alternative value users can check their existing setting and see that it is in the following format:
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SiteSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresUniqueEmail="false" passwordFormat="Hashed" applicationName="DotNetNuke" description="Stores and retrieves membership data from the local Microsoft SQL Server database"/>
Advantages of hashing
As hashing is a one-way operation, it means that if a website is compromised and the database is accessed/stolen, the hacker cannot calculate the users password easily. If the site uses encryption and the hacker had the decryption code, then decrypting the password is a trivial action, however with hashing this is much more difficult. If a site is using hashed passwords, a hacker would have to attempt to crack these by using dictionary/rainbow table attacks (where large lists of pre-hashed potential passwords are checked), which is a much more intensive operation. In addition, DotNetNuke adds user specific SALT
values to ensure that the hacker would need to generate new lists for each individual user account. This additional effort provides better security for a site, which is why DotNetNuke uses hashing as the new default with 7.1.0
Disadvantages of hashing
As hashing is a one-way operation, then any code which attempts to decrypt the user's password will fail. On occasion such code can exist for legitimate purposes such as validating if the user is providing their current password, however this cannot be supported in 7.1.0 and above.