New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Hashed passwords

Return to previous page

  • 4/7/2015



Hashed passwords

Last updated long time ago



(Enter the content of this article below)




In DotNetNuke 7.1.0, the default Password Format is being changed from encryption to hashing. This only applies to new installs, upgraded sites will retain the old format of encryption. To verify the setting, or change it to an alternative value users can check their existing setting and see that it is in the following format:

 <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SiteSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresUniqueEmail="false" passwordFormat="Hashed" applicationName="DotNetNuke" description="Stores and retrieves membership data from the local Microsoft SQL Server database"/>

Advantages of hashing

As hashing is a one-way operation, it means that if a website is compromised and the database is accessed/stolen, the hacker cannot calculate the users password easily. If the site uses encryption and the hacker had the decryption code, then decrypting the password is a trivial action, however with hashing this is much more difficult. If a site is using hashed passwords, a hacker would have to attempt to crack these by using dictionary/rainbow table attacks (where large lists of pre-hashed potential passwords are checked), which is a much more intensive operation. In addition, DotNetNuke adds user specific SALT values to ensure that the hacker would need to generate new lists for each individual user account. This additional effort provides better security for a site, which is why DotNetNuke uses hashing as the new default with 7.1.0

Disadvantages of hashing

As hashing is a one-way operation, then any code which attempts to decrypt the user's password will fail. On occasion such code can exist for legitimate purposes such as validating if the user is providing their current password, however this cannot be supported in 7.1.0 and above.
No sections defined
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out