Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

About

News Press Releases News Coverage Press KitCareersContact DNN

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Secure user and password management

Return to previous page

Edit
  • 4/7/2015
  • 14836 Views
Report

Comments

14836 Views

Secure user and password management

Last updated long time ago

Comments

Common

(Enter the content of this article below)

Advanced

 

Background

DotNetNuke ships with sensible defaults for both password storage as well as password complexity (to avoid users picking unsafe passwords). However sites can opt to change these for enhanced security - these decisions should be made prior to a site being installed as changing them after installation can lead to passwords being invalidated and users not being able to log in.


Password requirements

The web.config contains a DNNSQLMembershipProvider node. This contains two attributes,minRequiredPasswordLength & minRequiredNonalphanumericCharacters attributes that are used in conjunction to determine the required complexity of the
passwords DotNetNuke requires. Their defaults are 4 and 0 respectively. These values are used, as historically they correspond to the default length and complexity of the “host” account. You can alter these to more secure defaults i.e. 8 characters , one of
which must be non-alphanumeric

Default Setup 

<add name="DNNSQLMembershipProvider" 

type="DotNetNuke.Security.Membership.DNNSQLMembershipProvider, DNNSQLMembershipProvider" 

connectionStringName="SiteSqlServer" enablePasswordRetrieval="true" 

enablePasswordReset="true" requiresQuestionAndAnswer="false" 

minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0" 

requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="DotNetNuke" 

description="Stores and retrieves membership data from the local Microsoft SQL Server 

database" />



More Secure Setup – increased password length to eight characters, and required at least one non-alphanumeric characters. 

<add name="DNNSQLMembershipProvider" 

type="DotNetNuke.Security.Membership.DNNSQLMembershipProvider, DNNSQLMembershipProvider" 

connectionStringName="SiteSqlServer" enablePasswordRetrieval="true" 

enablePasswordReset="true" requiresQuestionAndAnswer="false" 

minRequiredPasswordLength="8" minRequiredNonalphanumericCharacters="1" 

requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="DotNetNuke" 

description="Stores and retrieves membership data from the local Microsoft SQL Server 

database" />


Note: If you choose to increase the web.config defaults, you must also alter the two default users (“admin” and “host”) so their passwords match this rule, otherwise installation will fail. To do this, open the file at install/DotNetNuke.install.resources. Locate the and nodes, and change the respective subnodes to reflect the new rules e.g.

Default setup 

<superuser> 

  <firstname>SuperUser</firstname> 

  <lastname>Account</lastname> 

  <username>host</username> 

  <password>host</password> 

  <email>host</email> 

  <locale>en-US</locale> 

  <timezone>0</timezone>  

 </superuser>


Secured setup – host password is eight characters long with one alpha-numeric character 

<superuser> 

  <firstname>SuperUser</firstname> 

  <lastname>Account</lastname> 

  <username>host</username> 

  <password>dnnhost!</password> 

  <email>host</email> 

  <locale>en-US</locale> 

  <timezone>0</timezone> 

 </superuser>


Note: This change is probably the single most important hardening step, as increasing the length and complexity of the two known accounts (“host” and “admin”), significantly reduces the chances of someone cracking one of them using a dictionary based attack. With the release of DotNetNuke 3.3/4.1, the default password length has been extended to 7, and the relevant files have been updated.


Password storage format

The DNNSQLMembershipProvider node also defines the storage format of the passwords. By default DotNetNuke uses encryption of user passwords. This provides a good level of protection, and allows you to retrieve your password as encryption is a reversible operation. However, if you do not wise to support password retrieval, or want to ensure maximum protection, you may choose to use Hashing instead. Hashing is a non-reversible operation, so even if your database is accessed or stolen, a hacker cannot reverse engineer your password.

Snippet of default setup 

…requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="DotNetNuke"…


Alternative setup utilizing Hashed passwords 

…requiresUniqueEmail="false" passwordFormat="Hashed" applicationName="DotNetNuke"…
Contents
No sections defined
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out